466
Fabric OS Command Reference
53-1001764-01
ipSecConfig
22
2.
Create an IPSec SA policy named AH01, which uses AH protection with MD5.
switch:admin>
ipsecconfig --add policy ips sa
\
-t AH01 -p ah -auth hmac_md5
3.
Create an IPSec proposal IPSEC-AH to use AH01 as SA.
switch:admin>
ipsecconfig --add policy ips sa-proposal
\
-t IPSEC-AH -sa AH01
4.
Configure the SA proposal's lifetime in time units.
switch:admin>
ipsecconfig --add policy ips sa-proposal
\
-t IPSEC-AH -lttime 280000 -sa AH01
5.
Import the preshared key file (e.g., ipseckey.psk) using the
seCcertUtil
import
command.
6.
Configure an IKE policy for the remote peer.
switch:admin>
ipsecconfig --add policy ike -t IKE01
\
-remote 10.33.69.132 -id 10.33.74.13
\
-remoteid 10.33.69.132 -enc 3des_cbc
\
-hash hmac_md5 -prf hmac_md5 -auth psk
\
-dh modp1024 -psk ipseckey.psk
7.
Create an IPSec transform named TRANSFORM01 to use transport mode to protect traffic identified
for IPSec protection and use IKE01 as the key management policy.
switch:admin>
ipsecconfig --add policy ips transform
\
-t TRANSFORM01 -mode transport
\
-sa-proposal IPSEC-AH -action protect -ike IKE01
8.
Create traffic selectors to select the outbound and inbound traffic that needs to be protected.
switch:admin>
ipsecconfig --add policy ips selector
\
-t SELECTOR-OUT -d out -l 10.33.74.13 -r 10.33.69.132
\
-transform TRANSFORM01
switch:admin>
ipsecconfig --add policy ips selector
\
-t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13
\
-transform TRANSFORM01
9.
Verify the IPSec SAs created using IKE for above traffic flow using
ipsecConfig --show manual-sa
-a
. Refer to the "IPSec display commands" section for an example.
10. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to your
server administration guide for instructions.
Example 2
The following example illustrates how to secure traffic between two systems using ESP protection with
3DES_CBC encryption and SHA1 authentication, and how to configure IKE with RSA Certificates signed
by the certification authority (CA). The two systems are A SWITCH, BROCADE300 (IPv6 address
fe80::220:1aff:fe34:2e82), and an external UNIX host (IPv6 address fe80::205:1fff:fe51:f09e).
1.
On the system console, log in to the switch as Admin and enable IPSec.
switch:admin>
ipsecconfig --enable
2.
Create an IPSec SA policy named ESP01, which uses ESP protection with 3DES and SHA1.
switch:admin>
ipsecconfig --add policy ips sa -t ESP01
\
-p esp -enc 3des_cbc -auth hmac_sha1
Summary of Contents for Fabric OS v7.0.1
Page 1: ...53 1002447 01 15 December 2011 Fabric OS Command Reference Supporting Fabric OS v7 0 1 ...
Page 6: ...vi Fabric OS Command Reference 53 1002447 01 ...
Page 30: ...4 Fabric OS Command Reference 53 1002447 01 Using the command line interface 1 ...
Page 1132: ...1106 Fabric OS Command Reference 53 1002447 01 General Fabric OS commands and permissions A ...