Dell POWEREDGE M1000E User Manual
Page 466
434
Fabric OS Command Reference
53-1001764-02
ipSecConfig
2
•
Modify existing IPSec and IKE policies.
•
Delete existing policies and SAs from the configuration database.
•
Flush existing SAs from the kernel SA database (SADB).
•
Display policy parameters.
Representation of IP addresses
When configuring IPSec policies, IP addresses and ports must be specified in the following format:
IP address
IPv4 addresses are expressed in dotted decimal notation consisting of
numeric characters (0-9) and periods (.), for example,
203.178.141.194.
IPv6 address consist of hexadecimal digits (09afAF), colons (:) and a percent
sign (%) if necessary, for example,
2001:200:0:8002:203:47ff:fea5:3085
network prefix
A network prefix is represented by a number followed by a slash (/), for
example:
::1/0.
Notes
IPSec configuration changes take effect upon execution and are persistent across reboot.
The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may
be in place. Refer to chapter 1, “Using Fabric OS commands” and Appendix A, “Command
Availability” for details.
This command does not provide IPSec protection for traffic flows on external management
interfaces of intelligent blades in a chassis, nor does it support protection of traffic flows on FCIP
interfaces.
This command does not support manipulating preshared keys corresponding to the identity of the
IKE peer or group of peers. Use secCertUtil to import, delete, or display the preshared keys in the
local switch database.
The MD5 hash algorithm is blocked when FIPS mode is enabled.
Refer to the example section for specific use cases and associated command sequences. Refer to
the Fabric OS Administrator’s Guide for configuration procedures.
This command accepts abbreviated operands. The abbreviated string must contain the minimum
number of characters necessary to uniquely identify the operand within the set of available
operands.
Operands
This command has the following operands:
--
enable
Enables IPSec on the switch. Existing IPSec configurations are enabled by
this command. IPSec is by default disabled. It must be enabled before you
can configure the policies and parameters. The following operand is optional:
default
Clears the existing policies (automatic key management and manual keyed
entries) and resets the configuration databases to default values.
--
disable
Disables IPSec on the switch. All active TCP sessions are terminated when
you disable iPsec.
--
add |--modify
Adds or modifies an IPSec or IKE policy in an existing enabled configuration.
Not all parameters can be modified. Parameters that cannot be modified are
indicated below. When modifying a policy the names and identifiers need to
refer to valid existing entities. The syntax is as follows:
--
add | --modify type [subtype] [arguments]