Brocade Communications Systems 53-1001763-02 Creating the tunnel

170 Fabric OS Administrator’s Guide

53-1001763-02

Management interface security

Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the

SADB. Manual SA entries may not have an associated IPsec policy in the local policy database.

Manual SA entries are persistent across system reboots.

Creating the tunnel

These instructions do not take the place of creating a tunnel for either a FR4-18i or FX8-24. For

information on creating tunnels for those application blades, refer to the Fibre Channel over IP

Administrator’s Guide

Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged

into the switch, do not log off as each step requires that you are logged in to the switch. IPsec

configuration changes take effect upon execution and are persistent across reboots. Configure the

following on each side of the tunnel:

NOTE

A backslash ( \ ) is used to skip the return character so you can continue the command on the next

line without the return character being interpreted by the shell.

1. Determine the authentication protocol and algorithm to be used on the tunnel.

Refer to Table 41 on page 168 to determine which algorithm to use in conjunction with a

specific authentication protocol.

2. Determine the type of keys to be used on the tunnel.

If you are using CA signed keys, you must generate them prior to setting up your tunnels.

3. Enable IPsec.

a. Connect to the switch and log in using an account assigned to the admin role.

b. Enter the ipSecConfig --enable command to enable IPsec on the switch.

4. Create an IPsec SA policy on each side of the tunnel using the ipSecConfig --add command.

Example of creating an IPsec SA policy

This example creates an IPsec SA policy named AH01, which uses AH protection with MD5. You

would run this command on each switch; on each side of the tunnel so that both sides have

the same IPsec SA policy.

switch:admin> ipsecconfig --add policy ips sa -t AH01 -p ah -auth hmac_md5

5. Create an IPsec proposal on each side of the tunnel using the ipSecConfig --add command.

Example of creating an IPsec proposal

This example creates an IPsec proposal IPSEC-AH to use AH01 as SA.

switch:admin> ipsecconfig --add policy ips sa-proposal -t IPSEC-AH –sa AH01

6. Import the pre-shared key file.

Refer to Chapter 6, “Configuring Protocols” for information on how to set up pre-shared keys

and certificates.

7. Configure the IKE policy using the ipSecConfig --add command.