Brocade Communications Systems Brocade 8/12c Command Reference Manual page 476

2
ipSecConfig
4. Configure the SA proposal lifetime in seconds.
5. Import the public key for the BROCADE300 (Brocade300.pem), the private key for
6. Import the CA certificate that was used to sign the public certificates of BROCADE300 and the
7.
8. Create an IPSec transform TRANSFORM01 to use transport mode to protect traffic identified
9. Create traffic selectors to select outbound and inbound TCP traffic that needs to be protected.
10. Verify the IPSec SAs using ipSecConfig --show manual-sa -a. Refer to the
11. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to
Example 3
Secure traffic between two systems using AH with SHA1 and ESP protection with 3DES and
configure IKE with preshared keys. The two systems are a switch, BROCADE300 (IP address
10.33.74.13), and an external UNIX host (IPv4 address 10.33.69.132).
1. On the system console, log into the switch as Admin and enable IPSec.
2. Create an IPSec SA policy named AH01, which uses AH protection with SHA1.
444
switch:admin> ipsecconfig --add policy ips sa-proposal -t IPSEC-ESP -lttime 280000 -sa ESP01
BROCADE300 (Brocade300-key.pem), and the public key of the external host
(remote-peer.pem) in X.509 PEM format from the remote certificate server (10.6.103.139).
switch:admin> seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs -certname \
Brocade300.pem
switch:admin> seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs -certname \
Brocade300-key.pem
switch:admin> seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs -certname \
remote-peer.pem
remote peer as IPSECCA.pem.
switch:admin> seccertutil import -ipaddr 10.103.6.139 -remotedir /root/certs \
-certname IPSECCA.pem
Configure an IKE policy for the remote peer UNIX host.
switch:admin> ipsecconfig --add policy ike -t IKE01 -remote fe80::205:1fff:fe51:f09e \
-id fe80::220:1aff:fe34:2e82 -remoteid fe80::205:1fff:fe51:f09e \
-enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth rsasig -dh modp1024 \
-pubkey "Brocade300.pem" -privkey "Brocade300-key.pem" -peerpubkey "remote-peer.pem"
for IPSec protection and use IKE01 as the key management policy.
switch:admin> ipsecconfig --add policy ips transform -t TRANSFORM01 \
-mode transport -sa-proposal IPSEC-ESP -action protect -ike IKE01
switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-OUT \
-d out -l fe80::220:1aff:fe34:2e82 -r fe80::205:1fff:fe51:f09e \
-protocol "tcp" -transform TRANSFORM01
switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-IN \
-d in -l fe80::205:1fff:fe51:f09e -r fe80::220:1aff:fe34:2e82 \
-protocol "tcp" -t transform TRANSFORM01
commands" section for an example.
your server administration guide for instructions.
switch:admin> ipsecconfig --enable
switch:admin> ipsecconfig --add policy ips sa -t AH01 -p ah -auth hmac_sha1
""IPSec display
Fabric OS Command Reference
53-1001764-01