Example 4 – Dell POWEREDGE M1000E User Manual
Page 477
Fabric OS Command Reference
445
53-1001764-02
ipSecConfig
2
3. Create an IPSec SA policy named ESP01, which uses ESP protection with 3DES.
switch:admin>
ipsecconfig --add policy ips sa -t ESP01 -p esp -enc 3des_cbc
4. Create an IPSec proposal IPSEC-AHESP to use an AH01 and ESP01 bundle.
switch:admin>
ipsecconfig --add policy ips sa-proposal -t IPSEC-AHESP -sa AH01,ESP01
5. Import the preshared key file (e.g., ipseckey.psk) using the secCertUtil import command.
6. Create an IKE policy for the remote peer.
switch:admin>
ipsecconfig --add policy ike -t IKE01 -remote 10.33.69.132 -id 10.33.74.13 \
-remoteid 10.33.69.132 -enc 3des_cbc -hash hmac_md5 -prf hmac_md5 \
-auth psk -dh modp1024 -psk ipseckey.psk
7. Create an IPSec transform TRANSFORM01 configured with transport mode to protect traffic
identified for IPSec protection and use IKE01 as a key management policy.
switch:admin>
ipsecconfig --add policy ips transform -t TRANSFORM01 -mode transport \
-sa-proposal IPSEC-AHESP -action protect -ike IKE01
8. Create traffic selectors to protect outbound and inbound traffic.
switch:admin>
ipsecconfig --add policy ips selector -t SELECTOR-OUT \
-d out -l 10.33.74.13 -r 10.33.69.132 -transform TRANSFORM01
switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-IN \
-d in -l 10.33.69.132 -r 10.33.74.13 -transform TRANSFORM01
9. Verify the IPSec SAs using ipSecConfig --show manual-sa -a. Refer to the
section for an example.
10. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to
your server administration guide for instructions.
Example 4
Secure traffic between two systems using protection with MD5 and Manually keyed SAs. The two
systems are a switch, the BROCADE300 (IPv4 address 10.33.74.13), and an external UNIX host
(IPv4 address 10.33.69.132).
1. On the system console, log into the switch as Admin and enable IPSec.
switch:admin>
ipsecconfig --enable
2. Create an IPSec Manual SA that uses AH protection with MD5 for outbound traffic:
switch:admin>
ipsecconfig --add manual-sa -spi 0x300 -l 10.33.74.13 -r 10.33.69.132 \
-p any -d out -m transport -ipsec ah -ac protect -auth hmac_md5 -auth-key "TAHITEST89ABCDEF"
3. Create an SA for inbound traffic.
switch:admin>
ipsecconfig --add manual-sa -spi 0x200 -l 10.33.69.132 -r 10.33.74.13 \
-p any -d in -m transport -ipsec ah -ac protect -auth hmac_md5 -auth-key "TAHITEST89ABCDEF"
4. Verify the SAs using ipsecConfig --show manual-sa -a. Refer to the
section for an example.
5. Perform the equivalent steps on the remote peer to complete the IPSec configuration. Refer to
your server administration guide for instructions.