HP StorageWorks 2/16V HP StorageWorks Fabric OS 5.3.x administrator guide (569 - Page 401
Configuring IPSec, Definition
View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 401 highlights
Table 100 IPSec terminology Term MAC HMAC SA Definition Message Authentication Code is a key-dependent, one-way hash function used for generating and verifying authentication data. A stronger MAC because it is a keyed hash inside a keyed hash. Security association is the collection of security parameters and authenticated keys that are negotiated between IPSec peers. The following limitations apply to using IPSec: • IPv6, NAT, and AH are not supported. • You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel on the same port as a secure tunnel. • IPSec specific statistics are not supported. • Fastwrite and tape pipelining cannot be used in conjunction with secure tunnels. • To change the configuration of a secure tunnel, delete the tunnel and re-create it with the desired options. • Jumbo frames are not supported for IPSec. • There is no RAS message support for IPSec. • Only a single route is supported on an interface with a secure tunnel. Configuring IPSec IPSEC requires predefined configurations for IKE and IPSEC. You can enable IPSEC only when these configurations are well-defined and properly created in advance. The following steps provide an overview of the IPSec protocol. All of these steps require that the correct policies have been created. Because policy creation is an independent procedure from FCIP tunnel creation, you must know which IPSec configurations have been created. This ensures that you choose the correct configurations when you enable an IPSEC tunnel. • Some traffic from an IPSec peer with the lower local IP address initiates the IKE negotiation process. • IKE negotiates SAs and authenticates IPSec peers during phase 1 that sets up a secure channel for negotiation of phase 2 (IPSec) SAs. • IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA parameters include encryption and authentication algorithms, Diffie-Hellman group and SA lifetimes. • Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. • IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out. The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies have been created, you assign the policies when creating the FCIP tunnel. IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel. Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as any other tunnel. Only one IPSec tunnel can be configured for each GbE port. Fabric OS 5.3.0 administrator guide 407