Dell EqualLogic PS6210XS EqualLogic Group Manager Administrator s Guide PS Ser - Page 75
IPsec Security Parameters, IPsec Security Associations (SA), IPsec Pre-Shared Keys (PSKs)
View all Dell EqualLogic PS6210XS manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 75 highlights
You can generate certificates suitable for use in IPsec connections to the PS Series using any Windows, OpenSSL, or other commercial Certificate Authority product. From the Group Manager CLI, you can import, display, and delete certificates, using the ipsec certificate commands. See the Dell EqualLogic Group Manager CLI Reference Guide for more information. IPsec Security Parameters IPsec security parameters control the authentication and key negotiation carried out using the Internet Key Exchange IKEv1 or IKEv2 protocol. Security parameters specify the following features: • Using IKEv1, IKEv2, or manual keying NOTE: While it is possible to configure IPsec to use manual keys via the CLI command, Dell strongly cautions that you do not use this command. Using the command can lead to extremely serious security risks. Do not use this command. Consequently, Dell strongly discourages the use of manual keying in any production environment. IKEv1 or IKEv2 are the preferred keying methods. • Using certificates and pre-shared keys (PSK) • Establishing Transport Mode or Tunnel Mode connections NOTE: Unless specifically configured, IKEv1 and Transport Mode are used by default. IPsec security parameters are managed using the ipsec security-params commands. See the Dell EqualLogic Group Manager CLI Reference Guide for more information. IPsec Security Associations (SA) The pairing of an IPsec security parameter with an IPsec policy forms an IPsec security association (SA), which formalizes the secured connection between the group and a host connected to it. Each protected connection to the group is a unique security association, and each system can have multiple security associations, allowing it to have authenticated communications with many other systems. NOTE: You can view or delete security associations using the ipsec security-association commands. See the Dell EqualLogic Group Manager CLI Reference Guide for more information. IPsec Pre-Shared Keys (PSKs) In addition to using certificates, you can use pre-shared keys to authenticate secured connections. Pre-shared keys are identical strings that are specified at both ends of the communications pathway. The keys enable the systems to correctly identify each other. You can use either ASCII or hexadecimal strings. ASCII can be used in most situations. However, you can also use hexadecimal strings if: • Your organization mandates their use. • You have systems that do not support the use of ASCII strings. • You want to use characters that are not supported in ASCII strings. Examples of IPsec Configurations The following examples are provided and depict several scenarios for using IPsec with your PS Series group. They provide configuration settings for the array and for initiators and hosts. • Example 1: Transport mode (Host-to-Host) with certificates and PSK with Microsoft iSCSI Initiator • Example 2: Tunnel Mode (between Linux hosts) using PSK • Example 3: Tunnel Mode (between Linux hosts) using Certificate-Based Authentication About Group-Level Security 75