Home » HP Manuals » Storage Devices » HP 1606 » Manual Viewer

HP 1606 Fabric OS FCIP Administrators Guide v6.4.0 (53-1001766-01, November 20 - Page 61

IPsec configuration, IPsec parameters, TABLE 10

Add to My Manuals
Save this manual to your list of manuals

Page 61 highlights

IPSec implementation over FCIP 3 • Secure Tunnels cannot be defined with VLAN Tagged connections. IPsec configuration IPsec requires predefined configurations for IKE and IPsec. You can enable IPsec only when these configurations are well-defined and properly created in advance. The following describes the sequence of events that invokes the IPsec protocol. 1. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process. 2. IKE negotiates SAs and authenticates IPsec peers, and sets up a secure channel for negotiation of phase 2 (IPsec) SAs. 3. IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA parameters include encryption and authentication algorithms, Diffie-Hellman key exchange, and SA lifetimes. 4. Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the SA database. 5. IPsec tunnel termination. SA lifetimes terminate through deletion or by timing out. All of these steps require that the correct policies have been created. Because policy creation is an independent procedure from FCIP tunnel creation, you must know which IPsec configurations have been created. This ensures that you choose the correct configurations when you enable an IPsec tunnel. The first step to configuring IPsec is to create a policy for IKE and a policy for IPsec. Once the policies have been created, you assign the policies when creating the FCIP tunnel. IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the two phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPsec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPsec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel. Each FCIP tunnel is configured separately and may have the same or different IKE and IPsec policies as any other tunnel. Only one IPsec tunnel can be configured for each GbE port. IPsec parameters When creating policies, the parameters listed in Table 10 are fixed and cannot be modified. TABLE 10 Fixed policy parameters Parameter Fixed Value IKE negotiation protocol ESP IKE negotiation authentication method 3DES encryption AES encryption Main mode Tunnel mode Preshared key Key length of 168 bits Key length of 128 or 256 Fabric OS FCIP Administrator's Guide 47 53-1001766-01

Section	Page
Contents	5
About This Document	9
In this chapter	9
How this document is organized	9
Supported hardware and software	9
What’s new in this document	10
Document conventions	10
Text formatting	10
Command syntax conventions	11
Notes, cautions, and warnings	11
Key terms	11
Notice to the reader	12
Additional information	12
Brocade resources	12
Other industry resources	12
Getting technical help	13
Document feedback	14
FCIP overview	15
In this chapter	15
FCIP platforms and supported features	15
FCIP concepts	17
IP WAN network considerations	17
FCIP on the 7800 Switch and FX8-24 Blade	19
In this chapter	19
7800 switch hardware overview	20
7800 switch license options	20
VE_Ports and FCIP tunnels on the 7800 switch	21
FCIP trunking capacity on the 7800 switch	21
FX8-24 blade hardware overview	22
FX8-24 blade licensing options	24
VE_Ports and FCIP tunnels on the FX8-24 blade	24
FCIP trunking capacity on the FX8-24 blade	24
FCIP trunking	24
Design for redundancy and fault tolerance	25
FCIP tunnel restrictions for FCP and FICON acceleration features	25
FCIP circuits	25
FCIP circuit failover capabilities	26
Bandwidth calculation during failover	27
Adaptive Rate Limiting	28
FSPF link cost calculation when ARL is used	28
QoS SID/DID priorities over an FCIP trunk	29
QOS, DSCP, and VLANs	30
DSCP quality of service	30
VLANs and layer two quality of service	30
When both DSCP and L2CoS are used	30
DSCP and VLAN support on FCIP circuits	31
Managing the VLAN tag table	33
Compression options	34
IPSec implementation over FCIP tunnels	34
Limitations in using IPSec over FCIP tunnels	34
IPSec for the 7800 and FX8-24 blade	35
Enabling IPSec and IKE policies	35
Open Systems Tape Pipelining	37
FCIP Fastwrite and OSTP configurations	37
Support for IPv6 Addressing	38
IPv6 with Embedded IPv4 Addresses	39
Configuration preparation	40
Configuration steps	40
Setting VE_ports to persistently disabled state	41
Configuring VEX_ports	41
Configuring the media type for GbE ports 0 and 1 (7800 switch only)	41
Setting the GbE port operating mode (FX8-24 blade only)	42
Configuring a GbE or XGE port IP address	43
Configuring an IP route	44
Validating IP connectivity	44
Creating an FCIP tunnel	45
Creating additional FCIP circuits	49
Verifying the FCIP tunnel configuration	49
Enabling persistently disabled ports	50
Modifying an FCIP tunnel	51
Modifying an FCIP circuit	51
Deleting an IP interface	51
Deleting an IP route	52
Deleting an FCIP tunnel	52
Deleting an FCIP circuit	52
Virtual fabrics and the FX8-24 blade	52
FCIP on the 7500 Switch and FR4-18i Blade	53
In this chapter	53
The 7500 switch and FR4-18i blade	54
7500 switch and FR4-18i blade ports	55
FCIP Design Considerations for the 7500 switch and FR4-18i blade	55
Virtual ports and FCIP tunnels	56
Virtual Port Types	56
Compression on FCIP tunnels	57
Traffic shaping	57
FCIP services license	58
QoS implementation over FCIP	58
DSCP quality of service	58
L2CoS quality of service	58
When both DSCP and L2CoS are used	59
IPSec implementation over FCIP	59
IPsec configuration	61
IPsec parameters	61
Creating an IKE and IPsec policy	62
Displaying IKE and IPsec policy settings	63
Deleting an IKE and IPsec policy	63
Viewing IPsec information for an FCIP tunnel	64
Virtual Fabrics and FCIP	65
TCP Byte Streaming	65
Supported third party WAN optimizer hardware	65
Options for enhancing tape I/O performance	66
FCIP Fastwrite and OSTP	66
FCIP Fastwrite and OSTP configurations	67
Unsupported configurations for Fastwrite and OSTP	68
FCIP services configuration guidelines	70
Setting persistently disabled ports	71
Configuring VEX_Ports	71
Creating IP interfaces and routes	72
Creating an FCIP tunnel	75
Verifying the FCIP tunnel configuration	77
Enabling persistently disabled ports	79
Managing FCIP tunnels	81
Modifying and deleting QoS Settings	82
Deleting an FCIP tunnel	83
Deleting an IProute	83
Deleting an IP interface (IPIF)	84
Managing the VLAN tag table	84
FCIP Management and Troubleshooting	85
In this chapter	85
WAN performance analysis tools	85
The tperf option	85
The ipperf option	89
Ipperf performance statistics	90
Starting an ipperf session	90
Ipperf options	92
Using ping to test a connection	93
Using Traceroute	94
Portshow command usage	95
Displaying IP interfaces	95
Displaying IP routes	95
Displaying FCIP tunnel information	95
Displaying FCIP tunnel information (7800 switch and FX8-24 blade)	96
Displaying an FCIP tunnel with FCIP circuit information (7800 switch and FX8-24 blade)	96
Displaying FCIP tunnel performance (7800 switch and FX8-24 blade)	98
Displaying FCIP tunnel TCP connections (7800 switch and FX8-24 blade)	98
Displaying FCIP circuits (7800 switch and FX8-24 blade)	100
Displaying a single circuit	101
Displaying FCIP circuit performance (7800 switch and FX8-24 blade)	101
Displaying QoS prioritization for a circuit	102
Displaying FCIP tunnel information (7500 switch/FR4-18i blade)	103
FCIP tunnel issues	106
FCIP links	108
Gathering additional information	109
FTRACE concepts	110
Displaying the trace for a tunnel	111
Deleting an FTRACE configuration for a tunnel	112
Example of capturing an FTRACE on a tunnel	113

Match case Limit results 1 per page

Fabric OS FCIP Administrator’s Guide

53-1001766-01

IPSec implementation over FCIP

•

Secure Tunnels cannot be defined with VLAN Tagged connections.

IPsec configuration

IPsec requires predefined configurations for IKE and IPsec. You can enable IPsec only when these

configurations are well-defined and properly created in advance.

The following describes the sequence of events that invokes the IPsec protocol.

Traffic from an IPsec peer with the lower local IP addres

initiates the IKE negotiation process.

IKE negotiates SAs and authenticates IPsec peers, and sets up a secure channel for

negotiation of phase 2 (IPsec) SAs.

IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated

SA parameters include encryption and authentication algorithms, Diffie-Hellman key exchange,

and SA lifetimes.

Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the

SA database.

IPsec tunnel termination. SA lifetimes terminate through deletion or by timing out.

All of these steps require that the correct policies have been created. Because policy creation is an

independent procedure from FCIP tunnel creation, you must know which IPsec configurations have

been created. This ensures that you choose the correct configurations when you enable an IPsec

tunnel.

The first step to configuring IPsec is to create a policy for IKE and a policy for IPsec. Once the

policies have been created, you assign the policies when creating the FCIP tunnel.

IKE negotiates SA parameters and authenticates the peer using the preshared key authentication

method. Once the two phases of the negotiation are completed successfully, the actual encrypted

data transfer can begin.

IPsec policies are managed using the

policy

command.

You can configure up to 32 IKE and 32 IPsec policies. Policies cannot be modified; they must be

deleted and recreated in order to change the parameters. You can delete and recreate any policy

as long as the policy is not being used by an active FCIP tunnel.

Each FCIP tunnel is configured separately and may have the same or different IKE and IPsec

policies as any other tunnel. Only one IPsec tunnel can be configured for each GbE port

IPsec parameters

When creating policies, the parameters listed in

Table 10

are fixed and cannot be modified.

TABLE 10

Fixed policy parameters

Parameter

Fixed Value

IKE negotiation protocol

Main mode

ESP

Tunnel mode

IKE negotiation authentication method

Preshared key

3DES encryption

Key length of 168 bits

AES encryption

Key length of 128 or 256