HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 390

• IPSec can be configured only on IP V4-based tunnels. Secure tunnels can not be created on a 400 Multi-protocol Router or FR4-18i blade if any IP V6 addresses are defined on either ge0 or ge1. • Secure Tunnels cannot be defined with VLAN Tagged connections. Configuring IPSec IPSec requires predefined configurations for IKE and IPSec. You can enable IPSec only when these configurations are well-defined and properly created in advance. The following describes the sequence of events that invokes the IPSec protocol. 1. Traffic from an IPSec peer with the lower local IP address initiates the IKE negotiation process. 2. IKE negotiates SAs and authenticates IPSec peers, and sets up a secure channel for negotiation of phase 2 (IPSec) SAs. 3. IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA parameters include encryption and authentication algorithms, Diffie-Hellman key exchange, and SA lifetimes. 4. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. 5. IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out. All of these steps require that the correct policies have been created. Because policy creation is an independent procedure from FCIP tunnel creation, you must know which IPSec configurations have been created. This ensures that you choose the correct configurations when you enable an IPSec tunnel. The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies have been created, you assign the policies when creating the FCIP tunnel. IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the two phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel. Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as any other tunnel. Only one IPSec tunnel can be configured for each GbE port. IPSec parameters When creating policies, the parameters listed in Table 87 are fixed and cannot be modified: Table 87 Fixed policy parameters Parameter Fixed Value IKE negotiation protocol Main mode ESP Tunnel mode IKE negotiation authentication method Preshared key 3DES encryption Key length of 168 bits AES encryption Key length of 128 or 256 390 Configuring and monitoring FCIP extension services