Brocade Communications Systems 53-1001763-02 IKE policies

Fabric OS Administrator’s Guide 169

53-1001763-02

Management interface security 7

IKE policies

When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE

negotiations needed to establish IKE SA and parameters used in negotiations to establish IPsec

SAs. These include the authentication and encryption algorithms, and the primary authentication

method, such as preshared keys, or a certificate-based method, such as RSA signatures.

The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet

Key Exchange (IKE) protocol handles key management automatically. SAs require keying material

for authentication and encryption. The managing of keying material that SAs require is called key

management.

The IKE protocol solves the most prominent problem in the setup of secure communication: the

authentication of the peers and the exchange of the symmetric keys. It then creates the security

associations and populates the SADB.

The manual key/SA entry requires the keys to be generated and managed manually. For the

selected authentication or encryption algorithms, the correct keys must be generated using a third

party utility on your LINUX system. The key length is determined by the algorithm selected.

Linux IPsec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections.

The LINUX setKey command can be used for manually keyed connections, which means that all

parameters needed for the setup of the connection are provided by you. Based on which protocol,

algorithm, and key used for the creation of the security associations, the switch populates the

security association database (SAD) accordingly.

A pre-shared key has the .psk extension and is one of the available methods IKE can be configured

to use for primary authentication. You can specify the pre-shared keys used in IKE policies; add and

delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of

peers.

The ipSecConfig command does not support manipulating pre-shared keys corresponding to the

identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display

the pre-shared keys in the local switch database. For more information on this procedure, refer to

Chapter 6, “Configuring Protocols”.

A certificate is one of the available methods IKE can be configured to use for primary

authentication. You can specify the local public key and private key (in X.509 PEM format) and peer

public key (in X.509 format) to be used in a particular IKE policy.

Use the secCertUtil import command to import public key, private key and peer-public key (in X.509

PEM format) into the switch database. For more information on this procedure, refer to Chapter 6,

“Configuring Protocols”.

ATTENTION

The CA certificate name must have the IPSECCA.pem name.