beautypg.com

Security certificates, Static security associations, Creating the tunnel – Dell POWEREDGE M1000E User Manual

Page 236

background image

236

Fabric OS Administrator’s Guide

53-1002745-02

Management interface security

7

The IP secConfig command does not support manipulating pre-shared keys corresponding to the
identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display
the pre-shared keys in the local switch database. For more information on this procedure, refer to

Chapter 6, “Configuring Protocols”

.

Security certificates

A certificate is one of the available methods IKE can be configured to use for primary
authentication. You can specify the local public key and private key (in X.509 PEM format) and peer
public key (in X.509 format) to be used in a particular IKE policy.

Use the secCertUtil import command to import public key, private key and peer-public key (in X.509
PEM format) into the switch database. For more information on this procedure, refer to

Chapter 6,

“Configuring Protocols”

.

ATTENTION

The CA certificate name must have the IP secCA.pem name.

Static Security Associations

Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the
SADB. Manual SA entries may not have an associated IP sec policy in the local policy database.
Manual SA entries are persistent across system reboots.

Creating the tunnel

Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged
into the switch, do not log off as each step requires that you be logged in to the switch. IP sec
configuration changes take effect upon execution and are persistent across reboots. Configure the
following on each side of the tunnel:

NOTE

A backslash ( \ ) is used to skip the return character so you can continue the command on the next
line without the return character being interpreted by the shell.

1. Determine the authentication protocol and algorithm to be used on the tunnel.

Refer to

Table 46

on page 234 to determine which algorithm to use in conjunction with a

specific authentication protocol.

2. Determine the type of keys to be used on the tunnel.

If you are using CA signed keys, you must generate them prior to setting up your tunnels.

3. Enable IP sec.

a. Connect to the switch and log in using an account with admin permissions, or an account

associated with the chassis role and having OM permissions for the IP sec RBAC class of
commands.

b. Enter the IP secConfig

--

enable command to enable IP sec on the switch.

4. Create an IP sec SA policy on each side of the tunnel using the IP secConfig

--

add command.