Manualshelf

Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class
201202203204205206207208209210
160 Fabric OS Administrator’s Guide
53-1001336-02
Management interface security
7
1. On the system console, log in to the switch as Admin.
2. Enable IPsec.
a. Connect to the switch and log in using an account assigned to the admin role.
b. Enter the ipsecConfig
--enable command to enable IPsec on the switch.
3. Create an IPsec SA policy named AH01, which uses AH protection with MD5.
switch:admin> ipsecconfig --add policy ips sa -t AH01 \
-p ah -auth hmac_md5
4. Create an IPsec proposal IPSEC-AH to use AH01 as SA.
switch:admin> ipsecconfig --add policy ips sa-proposal \
-t IPSEC-AH -sa AH01
5. Configure the SA proposal's lifetime in time units.
switch:admin> ipsecconfig --add policy ips sa-proposal \
-t IPSEC-AH -lttime 280000 -sa AH01
6. Import the pre-shared key file using the secCertUtil command. The file name should have a
.psk extension.
For more information on importing the pre-shared key file, refer to “Installing a switch
certificate” on page 115.
7. Configure an IKE policy for the remote peer.
switch:admin> ipsecconfig --add policy ike -t IKE01 \
-remote 10.33.69.132 -id 10.33.74.13 -remoteid 10.33.69.132 \
-enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth psk \
-dh modp1024 -psk ipseckey.psk
NOTE
IKE version (‘-v’ option) needs to be set to 1 (IKEv1) if remote peer is a Windows XP or 2000 Host as
Windows XP and 2000 do not support IKEv2.
8. Create an IPsec transform named TRANSFORM01 to use transport mode to protect traffic
identified for IPsec protection and use IKE01 as key management policy.
switch:admin> ipsecconfig --add policy ips transform \
-t TRANSFORM01 -mode transport -sa-proposal IPSEC-AH -action \
protect -ike IKE01
9. Create traffic selectors to select the outbound and inbound traffic that needs to be protected.
switch:admin> ipsecconfig --add policy ips selector \
-t SELECTOR-OUT -d out -l 10.33.74.13 -r 10.33.69.132 \
-transform TRANSFORM01
switch:admin> ipsecconfig --add policy ips selector \
-t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \
-transform TRANSFORM01
10. Verify the IPSec SAs created with IKE using the ipsecConfig --show manual-sa –a command.
11. Perform the equivalent steps on the remote peer to complete the IPsec configuration. Refer to
your server administration guide for instructions.
12. Generate IP traffic and verify that it is protected using defined policies.