Manualshelf

Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class
191192193194195196197198199200
Fabric OS Administrator’s Guide 153
53-1001336-02
Management interface security
7
Configuration examples
Below are several examples of various configurations you can use to implement an IPsec tunnel
between two devices. You can configure other scenarios as nested combinations of these
configurations.
Endpoint-to-Endpoint Transport or Tunnel
In this scenario, both endpoints of the IP connection implement IPsec, as required of hosts in
RFC4301. The transport mode is commonly used with no inner IP header. If there is an inner IP
header, the inner addresses will be the same as the outer addresses. A single pair of addresses will
be negotiated for packets protected by this SA.
It is possible in this scenario that one or both of the protected endpoints will be behind a network
address translation (NAT) node, in which case the tunneled packets will have to be
UDP-encapsulated so that port numbers in the UDP headers can be used to identify individual
endpoints behind the NAT.
FIGURE 12 Protected endpoints configuration
A possible drawback of end-to-end security is that various applications that require the ability to
inspect or modify a transient packet will fail when end-to-end confidentiality is employed. Various
QoS solutions, traffic shaping, and firewalling applications will be unable to determine what type of
packet is being transmitted and will be unable to make the decisions that they are supposed to
make.
Gateway-to-Gateway Tunnel
In this scenario, neither endpoint of the IP connection implements IPsec, but the network nodes
between them protect traffic for part of the way. Protection is transparent to the endpoints, and
depends on ordinary routing to send packets through the tunnel endpoints for processing. Each
endpoint would announce the set of addresses behind it, and packets would be sent in tunnel
mode where the inner IP header would contain the IP addresses of the actual endpoints.
FIGURE 13 Gateway tunnel configuration