Fabric OS Command Reference
469
53-1001764-01
ipSecConfig
2
Example 4
The following example illustrates how to secure traffic between two systems using protection with MD5
and Manually keyed SAs. The two systems are a switch, the BROCADE300 (IPv4 address 10.33.74.13),
and an external UNIX host (IPv4 address 10.33.69.132).
1.
On the system console, log in to the switch as Admin and enable IPSec.
switch:admin>
ipsecconfig --enable
2.
Create an IPSec Manual SA that uses AH protection with MD5 for outbound traffic:
switch:admin>
ipsecconfig --add manual-sa -spi 0x300
\
-l 10.33.74.13 -r 10.33.69.132 -p any -d out -m transport
\
-ipsec ah -ac protect -auth hmac_md5
\
-auth-key "TAHITEST89ABCDEF"
3.
Create an SA for inbound traffic.
switch:admin>
ipsecconfig --add manual-sa -spi 0x200
\
-l 10.33.69.132 -r 10.33.74.13 -p any -d in
\
-m transport -ipsec ah -ac protect -auth hmac_md5
\
-auth-key "TAHITEST89ABCDEF"
4.
Verify the SAs using
ipsecConfig --show manual-sa -a
. Refer to the IPSec display commands
section for an example.
5.
Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to your
server administration guide for instructions.
IPSec display commands
To display the IPSec IKE Policy:
switch:admin>
ipsecconfig --show policy ike -a
IKE-01 version:ikev2 remote:10.33.69.132
local-id:10.33.74.13 remote-id:10.33.69.132
encryption algorithm: 3des_cbc
hash algorithm: hmac_md5
prf algorithm: hmac_md5
dh group: 2 1
auth method:rsasig
public-key:"/etc/fabos/certs/sw0/thawkcert.pem"
private-key:"/etc/fabos/certs/sw0/thawkkey.pem"
peer-public-key:"/etc/fabos/certs/sw0/spiritcert.pem
To display the outbound and inbound SAs in the kernel SA database:
switch:admin>
ipsecconfig --show manual-sa -a
10.33.69.132[0] 10.33.74.13[0]
ah mode=transport spi=34560190(0x020f58be) reqid=0(0x00000000)
A: hmac-md5 7e5aeb47 e0433649 c1373625 34a64ece
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Oct 15 23:34:55 2008 current: Oct 15 23:35:06 2008
diff: 11(s) hard: 2621440(s) soft: 2100388(s)
last: Oct 15 23:34:56 2008 hard: 0(s) soft: 0(s)
current: 256(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4 hard: 0 soft: 0
sadb_seq=1 pid=10954 refcnt=0
10.33.74.13[0] 10.33.69.132[0]
ah mode=transport spi=48095089(0x02dddf71) reqid=0(0x00000000)
A: hmac-md5 c84d27e5 960d116c bf7c0e4a b232c49e
seq=0x00000000 replay=32 flags=0x00000000 state=mature
Содержание Fabric OS v7.0.1
Страница 1: ...53 1002447 01 15 December 2011 Fabric OS Command Reference Supporting Fabric OS v7 0 1 ...
Страница 6: ...vi Fabric OS Command Reference 53 1002447 01 ...
Страница 30: ...4 Fabric OS Command Reference 53 1002447 01 Using the command line interface 1 ...
Страница 118: ...92 Fabric OS Command Reference 53 1001764 01 ceePortLedTest 22 ceePortLedTest DESCRIPTION See portLedTest SEE ALSO None ...
Страница 270: ...244 Fabric OS Command Reference 53 1001764 01 exit 22 exit DESCRIPTION See logout SEE ALSO None ...
Страница 1132: ...1106 Fabric OS Command Reference 53 1002447 01 General Fabric OS commands and permissions A ...