Fabric OS FCIP Administrators Guide v6.4.0 (53-1001766-01, November 2010)

ManualsBrandsHP ManualsStorageHP 1606 FCIP 4-pt Enabled 8Gb FC 2-pt Enabled 1GbE Base Switch

48 Fabric OS FCIP Administrator’s Guide

53-1001766-01

IPSec implementation over FCIP

The parameters listed inTable 11 can be modified.

Creating an IKE and IPsec policy

For a complete description of the policy command, see the Fabric OS Command Reference.

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the policy command to create IKE and IPsec policies:

policy --create

type

number

[-enc

encryption_method

][-auth

authentication_algorithm]

[-pfs off|on] [-dh

DH_group

] [-seclife

secs]

Where:

type and number

The type of policy being created (IKE or IPsec) and the number for this type of

policy. To easily determine how many policies have been created, consider

using sequential numbering. The range of valid values is any whole number

from 1 through 32.

encryption_method

The supported type of encryption. Valid options are 3DES, AES-128, and

AES-256. AES-128 is the default.

authentication_algorithm

The authentication algorithm. Valid options are SHA-1, MD5, and AES-XCBC

(IPsec only). SHA-1 is the default.

DH_Group The Diffie-Hellman group. Supported groups are Group 1 and Group 14.

Group 1 is the default.

secs The security association lifetime in seconds. 28800 is the default.

The following example shows how to create IKE policy number 10 using 3DES encryption, MD5

authentication, and Diffie-Hellman Group 1:

switch:admin> policy --create ike 10 -enc 3des -auth md5 -dh 1

The following policy has been set:

TABLE 11 Modifiable policy parameters

Parameter Description

Encryption Algorithm 3DES—168-bit key

AES-128—128-bit key (default)

AES-256—256-bit key

Authentication Algorithm SHA-1—Secure Hash Algorithm (default)

MD5—Message Digest 5

AES-XCBC—Used only for IPsec

Security Association lifetime in seconds Security association lifetime in seconds. A new key is renegotiated

before seconds expires. seconds must be between 28800 to

250000000 or 0. The default is 28800.

PFS (Perfect Forward Secrecy) Applies only to IKE policies. Choices are On/Off and

default is On.

Diffie-Hellman group Group 1—768 bits (default)

Group 14—2048 bits