Dell EqualLogic PS4210X EqualLogic Group Manager Administrator s Guide PS Seri - Page 101
IPsec Performance Considerations, IPsec Configuration Limitations, CLI Commands IPsec
View all Dell EqualLogic PS4210X manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 101 highlights
CLI Commands (IPsec) Enter the following CLI commands on the PS Series group to implement the configuration shown in Figure 13. Tunnel Mode (Hostto-Gateway) Using PSK: > ipsec security-params create RemGW_PSK_Auth_Tunnel pre-shared-key key tunnel type v4 tun-ip-addr 10.125.56.1 > ipsec policy create ToRemGW_IPv4_PSK_Ikev1 type v4 ip-addr 10.125.56.0 netmask 255.255.255.0 protocol any action protect RemGW_PSK_Auth_Tunnel IPsec Performance Considerations The performance impact of IPsec varies by host and network configuration, and increases with the number of IPsec-protected iSCSI connections to the group. Even if IPsec is used only to protect traffic between group members, I/O performance is still affected. Based on these factors, you can expect that using IPsec might degrade I/O performance. Although PS Series group members use hardware to accelerate cryptographic operations, many initiators perform these operations in software, which can cause a further reduction in the speed of communications between iSCSI initiators and the group. IPsec Host Connectivity Considerations • Enabling or disabling IPsec for the group using the ipsec enable and ipsec disable commands might disrupt host connectivity to the group for several minutes. To prevent unplanned outages, Dell recommends that IPsec be enabled or disabled during a planned maintenance window when volumes do not have any active iSCSI connections. • Consult the documentation for your host operating systems, HBAs, and iSCSI initiators to verify that they support IPsec. The initiators' IPsec support might have known issues and idiosyncrasies that require additional planning or configuration. When configuring IPsec with Windows hosts, note the following limitations: - IPsec traffic is not always handled correctly if the IPsec policy is configured to protect only a subset of traffic between the host and the group. For example, if the IPsec policy protects only iSCSI traffic on port 3260, the Windows host might not perform reliably when connecting to the group. As a workaround, IPsec policies should apply to all traffic passing between the group and Windows systems. Microsoft KB article 2665206 discusses this workaround in greater detail. - IPsec must be configured using the Windows Firewall with Advanced Security. Do not use the IPsec option in the Microsoft iSCSI initiator, which does not have the capability to fully configure an IPsec configuration between the host and the group. Further, if you attempt to configure an IPsec connection using the iSCSI initiator, the system might not allow you to remove the partial configuration and replace it with a complete configuration created with Windows Firewall. - IPsec policies defined using the Local Security Policy Manager are not supported. strongSWAN Limitations with IPsec If you are using strongSWAN, the following limitations apply: • If you are using certificates, the uniqueids keyword must be disabled (uniqueids=no). • In rare cases, strongSWAN might negotiate standard frames in IPv6 environments even though jumbo frames are configured. • If you are using IKEv2 and the certificate IDs are mismatched, the PSA might behave as if the security association (SA) has been established when it has not. • strongSWAN does not create exceptions for IPv6 neighbor discovery in its Allow All IPsec policy. Consequently, neighbor discovery will fail and security associations (SA) will not be established. As a workaround, use an IPsec policy that uses ports and protocols to manage neighbor discovery. IPsec Configuration Limitations The following limitations apply when implementing IPsec: • IPsec is supported only for certain PS Series array models, and can be enabled for a group only if all members support IPsec. See the Dell EqualLogic PS Series Storage Arrays Release Notes for more information. • IPsec can be enabled and configured only with the Group Manager CLI. The Group Manager GUI provides no facility for configuring or monitoring IPsec. About Group-Level Security 101