Fabric OS 6.2 administrator guide 151
is used for the creation of the security associations, the switch populates the security association database
(SAD) accordingly.
Pre-shared keys
A pre-shared key is one of the available methods for configuring IKE to use for primary authentication. You
can specify the pre-shared keys used in IKE policies. You can also add and delete pre-shared keys (in local
database) corresponding to the identity of the IKE peer or group of peers.
The
ipSecConfig
command does not support manipulating pre-shared keys corresponding to the
identity of the IKE peer or group of peers. Use the
secCertUtil
command to import, delete, or display
the pre-shared keys in the local switch database. For more information on this procedure, see Chapter 3,
”
Configuring standard security features
” on page 99.
Security certificates
A security certificate is one of the available methods for configuring IKE to use for primary authentication.
You can specify the local public key and private key (in X.509 PEM format) and peer public key (in X.509
format) to be used in a particular IKE policy.
Use the
secCertUtil import
command to import public key, private key, and peer-public key (in
X.509 PEM format) into the switch database. For more information on this procedure, see Chapter 3,
”
Configuring standard security features
” on page 99.
Static Security Associations
Manual Key Entry (MKE) provides the ability to manually add, delete, and flush SA entries in the SADB.
Manual SA entries may not have an associated IPsec policy in the local policy database. Manual SA
entries are persistent across system reboots.
Creating the tunnel
Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into
the switch, do not log off, as each step requires that you be logged in to the switch. IPsec configuration
changes take effect upon execution and are persistent across reboots. Configure the following on each side
of the tunnel:
1.
Determine the authentication protocol and algorithm to be used on the tunnel.
See
Table 41
on page 148 to determine which algorithm to use in conjunction with a specific
authentication protocol.
2.
Determine the type of keys to be used on the tunnel.
If you are using CA signed keys, you must generate them prior to setting up your tunnels.
3.
Enable IPsec.
a.
Connect to the switch and log in using an account assigned to the admin role.
b.
Enter the
ipsecConfig
--
enable
command to enable IPsec on the switch.
4.
Create an IPsec SA policy on each side of the tunnel using the
ipSecConfig
--
add policy ips
sa <-tag
n
ame>
-protocol ah|esp -auth
<algorithm>
command.
The example below creates an IPsec SA policy named
AH01
, which uses AH protection with MD5. You
would run this command on each switch on each side of the tunnel, so that both sides have the same
IPsec SA policy.
switch:admin>
ipsecconfig --add policy ips sa -t AH01 -p ah -auth
hmac_md5
5.
Create an IPsec proposal on each side of the tunnel using the
ipSecConfig
--
add policy ips
sa-proposal -tag
name
-sa
name
command
.
The following example creates an IPsec proposal
IPSEC-AH
to use
AH01
as SA.
switch:admin>
ipsecconfig --add policy ips sa-proposal -t IPSEC-AH –sa
AH01
6.
Import the pre-shared key file.
Summary of Contents for A7533A - Brocade 4Gb SAN Switch Base
Page 1: ...HP StorageWorks Fabric OS 6 2 administrator guide Part number 5697 0016 Edition May 2009 ...
Page 24: ...24 ...
Page 99: ...Fabric OS 6 2 administrator guide 99 ...
Page 100: ...100 Managing user accounts ...
Page 118: ...116 Configuring standard security features ...
Page 164: ...162 Configuring advanced security features ...
Page 234: ...232 Installing and maintaining firmware ...
Page 268: ...266 Administering advanced zoning ...
Page 284: ...282 Configuring Enterprise class platforms ...
Page 292: ...290 Routing traffic ...
Page 294: ...292 Interoperability for merged SANs ...
Page 302: ...300 Configuring the Distributed Management Server ...
Page 334: ...332 iSCSI gateway service ...
Page 340: ...338 Administering NPIV ...
Page 407: ...Fabric OS 6 2 administrator guide 405 ...
Page 408: ...406 Using the FC FC routing service ...
Page 438: ...434 Administering extended fabrics ...
Page 460: ...456 Administering ISL trunking ...
Page 516: ...512 FICON fabrics ...
Page 526: ...522 Configuring and monitoring FICON Extension Services ...
Page 540: ...536 Configuring the PID format ...
Page 544: ...540 Understanding legacy password behavior ...
Page 546: ...542 Mixed fabric configurations for non merge SANs ...
Page 550: ...546 Migrating from an MP Router to a 400 MP Router ...
Page 558: ...554 Inband Management ...
Page 572: ...568 ...