beautypg.com

Dell POWEREDGE M1000E User Manual

Page 466

background image

434

Fabric OS Command Reference

53-1001764-02

ipSecConfig

2

Modify existing IPSec and IKE policies.

Delete existing policies and SAs from the configuration database.

Flush existing SAs from the kernel SA database (SADB).

Display policy parameters.

Representation of IP addresses
When configuring IPSec policies, IP addresses and ports must be specified in the following format:

IP address

IPv4 addresses are expressed in dotted decimal notation consisting of
numeric characters (0-9) and periods (.), for example,

203.178.141.194.

IPv6 address consist of hexadecimal digits (09afAF), colons (:) and a percent
sign (%) if necessary, for example,

2001:200:0:8002:203:47ff:fea5:3085

network prefix

A network prefix is represented by a number followed by a slash (/), for
example:

::1/0.

Notes

IPSec configuration changes take effect upon execution and are persistent across reboot.

The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may
be in place. Refer to chapter 1, “Using Fabric OS commands” and Appendix A, “Command
Availability”
for details.

This command does not provide IPSec protection for traffic flows on external management
interfaces of intelligent blades in a chassis, nor does it support protection of traffic flows on FCIP
interfaces.

This command does not support manipulating preshared keys corresponding to the identity of the
IKE peer or group of peers. Use secCertUtil to import, delete, or display the preshared keys in the
local switch database.

The MD5 hash algorithm is blocked when FIPS mode is enabled.

Refer to the example section for specific use cases and associated command sequences. Refer to
the Fabric OS Administrator’s Guide for configuration procedures.

This command accepts abbreviated operands. The abbreviated string must contain the minimum
number of characters necessary to uniquely identify the operand within the set of available
operands.

Operands

This command has the following operands:

--

enable

Enables IPSec on the switch. Existing IPSec configurations are enabled by
this command. IPSec is by default disabled. It must be enabled before you
can configure the policies and parameters. The following operand is optional:

default

Clears the existing policies (automatic key management and manual keyed
entries) and resets the configuration databases to default values.

--

disable

Disables IPSec on the switch. All active TCP sessions are terminated when
you disable iPsec.

--

add |--modify

Adds or modifies an IPSec or IKE policy in an existing enabled configuration.
Not all parameters can be modified. Parameters that cannot be modified are
indicated below. When modifying a policy the names and identifiers need to
refer to valid existing entities. The syntax is as follows:

--

add | --modify type [subtype] [arguments]