beautypg.com

Creating the tunnel – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Page 250

background image

Creating the tunnel

Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged
into the switch, do not log off as each step requires that you be logged in to the switch. IPsec
configuration changes take effect upon execution and are persistent across reboots. Configure the
following on each side of the tunnel:

1. Determine the authentication protocol and algorithm to be used on the tunnel.

Refer to

Table 56

on page 247 to determine which algorithm to use in conjunction with a specific

authentication protocol.

2. Determine the type of keys to be used on the tunnel.

If you are using CA signed keys, you must generate them prior to setting up your tunnels.

3. Enable IPsec.

a)

Connect to the switch and log in using an account with admin permissions, or an account
associated with the chassis role and having OM permissions for the IPsec RBAC class of
commands.

b)

Enter the ipSecConfig --enable command to enable IPsec on the switch.

4. Create an IPsec SA policy on each side of the tunnel using the ipSecConfig --add command.

Example of creating an IPsec SA policy

This example creates an IPsec SA policy named "AH01" , which uses AH protection with MD5. You
would run this command on each switch; on each side of the tunnel so that both sides have the
same IPsec SA policy.

switch:admin> ipsecconfig --add policy ips sa -t AH01 -p ah -auth hmac_md5

5. Create an IPsec proposal on each side of the tunnel using the ipSecConfig --add command.

Example of creating an IPsec proposal

This example creates an IPsec proposal "IPSEC-AH" to use "AH01" as SA.

switch:admin> ipsecconfig --add policy ips sa-proposal -t IPSEC-AH -sa AH01

6. Import the pre-shared key file.

Refer to

Configuring Protocols

on page 173 for information on how to set up pre-shared keys and

certificates.

7. Configure the IKE policy using the ipSecConfig --add command.

Example of creating an IKE policy

This example creates an IKE policy for the remote peer.

switch:admin> ipsecconfig --add policy ike -t IKE01 -remote 10.33.74.13

-id 10.33.69.132 -remoteid 10.33.74.13 -enc 3des_cbc -hash hmac_md5

-prf hmac_md5 -auth psk -dh modp1024 -psk ipseckey.psk

8. Create an IPsec transform on each switch using the ipSecConfig --add command.

Example of creating an IPsec transform

This example creates an IPsec transform TRANSFORM01 to use the transport mode to protect
traffic identified for IPsec protection and use IKE01 as key management policy.

switch:admin> ipsecconfig --add policy ips transform -t TRANSFORM01

-mode transport -sa-proposal IPSEC-AH -action protect -ike IKE01

9. Create a traffic selector on each switch using the ipSecConfig --add command.

Example of creating a traffic selector

Creating the tunnel

250

Fabric OS Administrators Guide

53-1003130-01

See also other documents in the category Brocade Computer Accessories: