Dell EqualLogic PS6210XS EqualLogic Group Manager Administrator s Guide PS Ser - Page 93
Supported iSCSI Initiator Platforms, Requirements for IPsec, Supported Relative Distinguished Names
View all Dell EqualLogic PS6210XS manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 93 highlights
• The PS Series firmware provides no mechanism for using IPsec to protect traffic between replication partners. It is technically possible to create IPsec polices on both the primary and secondary group in which each group treats the other as an iSCSI initiator and traffic is protected accordingly. However, this configuration is not supported, and Dell recommends against implementing it in a production environment. • The PS Series array does not serve as an IPsec-secured gateway; it behaves as an IPsec-secured host only. • You cannot use the save-config CLI command to preserve the group's IPsec certificates and pre-shared keys. The save-config command saves the CLI commands that were used to configure IPsec, but it does not save certificates that have been transferred to the array using FTP. Therefore, when you restore a configuration, you must manually restore any configuration options set using the ipsec certificate load, ipsec security-params create certificate, and ipsec security-params pre-shared-key commands. • Kerberos-based authentication is not supported. • Multiple Root Certificate Authorities (CA) are not supported. • Certificate Revocation Lists (CRL) are not supported. • Only users with group administrator privileges can configure IPsec. • Perfect Forward Secrecy (PFS) is not supported. • Encrypted private keys are not supported for X.509 format certificates. • Dell recommends using a minimum of 3600 seconds and 10GB lifetime rekey values. • IKE mobility is not supported. • NAT Traversal (NAT-T) is not supported. Dell recommends against placing a firewall that performs address translation between the PS Series group and its IPsec peers. Supported iSCSI Initiator Platforms iSCSI initiators on the following hosts have been tested and verified for use with IPsec connections to PS Series groups: • Microsoft Windows 2008, Windows 2008 R2, Windows 7, Windows Server 2012, and Windows Server 2012 R2 • Ubuntu Linux (using strongSWAN) NOTE: Some Linux distributions use a different IKE implementation. For example: CentOS 6 uses Openswan. The configuration details change substantially depending on the IKE implementation used, and in particular, the examples provided in this document do not carry over to Openswan. Requirements for IPsec Certificates The following considerations apply to certificates: • If a certificate that is uploaded to the array contains multiple Subject Alternative names, only the first name is used. • Certificates can be imported using PKCS12 or X.509 formats. • Encrypted private keys are not supported for X.509 format certificates. Use PKCS12 format certificates when encrypted private keys are required. • The maximum supported certificate key size is 4096 bits, which applies to both local and root-CA certificates. • Disabling support for legacy protocols prevents the following actions: - RSA-based SSH keys smaller than 2048 bits establishing SSH sessions to the group - All DSA-based SSH keys establishing SSH sessions to the group - Using the IKE (Diffie-Hellman) Key Exchange Group 2 algorithm - All IPSec certificates (both on the initiator and the group) using DSA keys establishing security associations - All IPSec certificates (both on the initiator and the group) with keys smaller than 2048 bits establishing security associations - Any certificate with keys smaller than 2048 bits from being imported into the group Supported Relative Distinguished Names (RDN) Table 20. Supported RDNs lists supported certificate Relative Distinguished Names (RDN). About Group-Level Security 93