The usage of IPsec has the following limitations:
Network Address Translation (NAT) is not supported.
Authentication Header (AH) is not supported.
IPsecsupportsIPv6 andIPv4-based tunnels.
IPsecis not allowed with the
option set to anything other than the default.--connection-typetunnel
Creating and usingIPsecpolicies is recommended for securing data transmission across a network, especially a network beyond the confines of a secure data center.IPsecis enabled at the tunnel level, not the circuit level, which means all of a circuit of a tunnel is encrypted and use the sameIPsecsettings. Different tunnels can have uniqueIPsecsettings.IPsecuses Internet Key Exchange (IKE) to set up the security association. The key exchange can be through apre-shared key (PSK) or a public-key infrastructure (PKI).
When runningIPsec, both sides of the extension tunnel mustbe running the same Fabric OS version.When you use aPSK, both ends of the secure tunnel must be configured with the same key string. If both ends are not configured with the same key, theIKE session will not start and the extension tunnel will not be able to be established.
Thepre-shared key must be a string of 16 to 64 alpha-numeric characters.The following are the requirements for PKI:
X.509 certificates are supported.
ECDSAcertificates are supported only on the Brocade Extension platforms.
Non-ECDSA certificates are not supported.
PKI support is restricted to key-size P384 and hash-type SHA384.
For more information about configuring and managing certificates using the secCertMgmt
Brocade Fabric OS Administration Guide
An IPsec policy must be defined before IPsec can be enabled on a tunnel. Multiple IPsec policies can be defined; however, only one policy can be applied to a tunnel. All circuits in the tunnel use the same IPsec policy.
An IPsec policy can be modified while the policy is assigned to a tunnel or WAN Tool session.Sometimes, the local and remote sides become out of sync, preventing the tunnel from coming up and displaying an authentication error.
For more information on how to restart IKE authentication, see IPsec IKE Authentication Failures.
When you use thePSK, the IPsec policy must be configured with the same PSK on each end of the tunnel. The policy name can be different at each end, but the key must be the same.
Use the following steps to create, enable, or disable the IPsec policy:
Connect to the switch and log on as an admin.
Enter the
ipsec-policy--help
command. For example,portcfgipsec-policy--help
.switch:FID128:admin> portcfg ipsec-policy --helpUsage: portCfg ipsec-policy <name> { create [<args>] | modify [<args>] | delete | restart | --help }Name Format: <string> - The IPSec Policy name(Min 1 character, Max 31 characters). Cannot contain the following special characters: ;$!#`/\><&'"=,?.*^{}()Option: create - Create the specified IPSec Policy modify - Modify the specified IPSec Policy delete - Delete the specified IPSec Policy restart - Restart all inactive IKE sessions for this policy help - Show this usage messageOptional Arguments: -p,--profile { preshared | pki } - - Set the IPSec-Profile. -k,--preshared-key <16-64> - - String value for preshared key (for authentication method "SHARED_KEY"). -K,--keypair <keypair name> - Name of the keypair. Max 31 Chars (for authentication method "ECDSA_P384"). -h,--help - Show the IPSec-Policy configuration usage statement.Example: portcfg ipsec-policy myPolicy create --preshared-key 1234567890abcdef
Use the
portcfg ipsec-policy create
command to define a policy. The pre-shared key must be 16 through 64 characters long.The following example creates an IPsec policy with the name myPolicy1.switch:admin> portcfg ipsec-policy myPolicy1 create -k "123ashorttestkey" Operation Succeeded.
After creating the IPsec policy, apply it to the tunnel. Use the
portcfg fciptunnel modify
command to enable a policy on a tunnel.Applying anIPsecpolicy to a tunnel is disruptive when modifying anonlinetunnel.
The following example uses the
portcfg fciptunnel<ve> modify
command to enable the policy myPolicy1 for an existing tunnel. IPsec must be enabled on both ends of the tunnel.switch:admin> portcfg fciptunnel 24 modify --ipsec myPolicy1!!!! WARNING !!!!Modify operation can disrupt the traffic on the fciptunnel specified for a brief period of time. This operation will bring the existing tunnel down (if tunnel is up) before applying new configuration.Continue with Modification (Y,y,N,n): [ n]y Operation Succeeded
Use the
portshow ipsec-policy
command to display the available IPsec policies.The following example displays the IPsec policy name and policy key. You must use the--password
option to display the key; otherwise, it is represented as a string of asterisks.switch:admin> portshow ipsec-policy --password IPSec Policy Flg Authentication data-------------------------------------------------------------------------------- MyIPsec S-- CwYQBFJUAo87zGRApVvIWxiINtmAZJtn MyIPsec2 S-- abcdefghijklmnopqrstuvwxyz1234567890--------------------------------------------------------------------------------Flags: *=Name Truncated. Use "portshow ipsec-policy -d for details". P=PKI Profile S=Shared-Key Profile X=Expired Cert M=Hash Mismatch
The following example displays IKE information on a tunnel with IPsec enabled. Notice that the
option is not used.--password
switch:admin> portshow ipsec-policy --ikeIPSec Policy Flg Authentication dataIKE-ID Oper Flg Local-Addr Remote-Addr IKE Rekey ESP Rekey-------------------------------------------------------------------myPolicy1 S-- ****************dp0.0 UP I 192.168.0.1 192.168.0.2 5h59m51s 303 3h20m10s 1080dp0.1 UP R 192.168.1.1 192.168.1.2 - - - -dp1.0 UP R 192.168.2.1 192.168.2.2 - - - --------------------------------------------------------------------Flags: *=Name Truncated. Use "portshow ipsec-policy -d for details". P=PKI Profile S=Shared-Key Profile X=Expired Cert M=Hash Mismatch I=Initiator R=Responder
The following example displays additional detail information on a tunnel with IPsec enabled:
switch:admin> portshow ipsec-policy --detail IPSec-policy: MyIPsec------------------------------------------------ Preshared-Key: ******************************** Profile: preshared Authentication: SHARED_KEY Encryption: AES_256_GCM Integrity: NONE Diffie Hellman: MODP_2048 Pseudo Random Function: HMAC_512 Num IKE Sessions: 1
To disable an IPsec policy on a tunnel, use the
portcfg fciptunnel<ve> modify
command. The following example disables the IPsec policy on tunnel 24:switch:admin> portcfg fciptunnel 24 modify --ipsec none!!!! WARNING !!!!Modify operation can disrupt the traffic on the fciptunnel specified for a brief period of time. This operation will bring the existing tunnel down (if tunnel is up) before applying new configuration.Continue with Modification (Y,y,N,n): [ n] y Operation Succeeded
To delete an IPsec policy, use the
portcfg ipsec-policy delete
command.The following example deletes the IPsec policy, myPolicy1. You cannot delete a policy that is in use.switch:admin> portcfg ipsec-policy myPolicy1 delete Operation Succeeded
To create an IPsec policy using public-key infrastructure (PKI), use the
portcfg ipsec-policy policy1 create--profilepki
command.A certificate must have previously been generated either by self-signing or through aCSRfrom a CA, refer to the
seccertmgmt
command for more information.The following example creates a PKI policy:
switch:admin> portcfg ipsec-policy policy1 create –-profile pki --key-pair MyKeyPair Operation Succeeded
Use the
portshow ipsec-policy --detail
command to display the details.The following example shows IPsec with active IKE sessions. The summary info for the IKE data includes the remote certificate that is requested and an indicator if the hash matches or not.switch:admin> portshow ipsec-policy -iIPSec Policy Flg Authentication dataIKE-ID Oper Flg Local-Addr Remote-Addr IKE Rekey ESP Rekey-------------------------------------------------------------------ec_pol2 Loc Cert: ven60.pem Hash: Matcheddp0.0 UP R 172.16.0.0 172.16.0.1 - - - - Rem Cert: sb65.pem Hash: Matcheddp0.1 UP R 172.16.0.2 172.16.0.3 - - - - Rem Cert: sb125.pem Hash: Matched--------------------------------------------------------------------Flags: *=Name Truncated. Use "portshow ipsec-policy -d for details".I=Initiator R=Responder
To modify a PSK policy, only the pre-shared key must be modified.
switch:admin> portcfg ipsec-policy MyPSKPolicy modify --preshared-key asdf1234asdf1234!!!! WARNING !!!!Modify operation can disrupt the traffic on any tunnel using this IPSec policy. This operation may bring the existing tunnel down (if tunnel is up) before applying new configuration.Continue with Modification (Y,y,N,n): [ n] y Operation Succeeded
To modify a PKI policy, modify the profile and the authentication data. Both actions must occur at the same time.
switch:admin> portcfg ipsec-policy MyPKIPolicy modify --profile pki --keypair MyKeyPair!!!! WARNING !!!!Modify operation can disrupt the traffic on any tunnel using this IPSec policy. This operation may bring the existing tunnel down (if tunnel is up) before applying new configuration.Continue with Modification (Y,y,N,n): [ n] y Operation Succeeded
switch:admin> portshow ipsec-policy --detail IPSec-policy: policy1---------------------------------------------------------Profile: PKIEncryption: AES-256-CBCPseudo-Random: PRF-HMAC-384Integrity: HMAC-SHA-384-192Diffie-Hellman: ECDH-P384 Authentication: ECDSA-P384Key-Pair: MyKeyPairCertificate: MyKeyPair_cert.pemCertificate Hash: aff6fea1b19d81ea43aa72f4275a9cf550edadc0Num IKE Session: 0
