Send documentation comments to mdsfeedback-doc@cisco.com
44-14
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 44 Configuring IPsec Network Security
Manually Configuring IPsec and IKE
• IKE version 2 (IKEv2) is a simplified and more efficient version and does not interoperate with
IKEv1. IKEv2 is implemented using the draft-ietf-ipsec-ikev2-16.txt draft.
About IKE Policy Negotiation
To protect IKE negotiations, each IKE negotiation begins with a common (shared) IKE policy. An IKE
policy defines a combination of security parameters to be used during the IKE negotiation. By default,
no IKE policy is configured. You must create IKE policies at each peer. This policy states which security
parameters will be used to protect subsequent IKE negotiations and mandates how peers are
authenticated. You can create multiple, prioritized policies at each peer to ensure that at least one policy
will match a remote peer's policy.
You can configure the policy based on the encryption algorithm (DES, 3DES, or AES), the hash
algorithm (SHA or MD5), and the DH group (1, 2, or 5). Each policy can contain a different combination
of parameter values. A unique priority number identifies the configured policy. This number ranges from
1 (highest priority) to 255 (lowest priority). You can create multiple policies in a switch. If you need to
connect to a remote peer, you must ascertain that at least one policy in the local switch contains the
identical parameter values configured in the remote peer. If several policies have identical parameter
configurations, the policy with the lowest number is selected.
Table 44-1 provides a list of allowed transform combinations.
The following table lists the supported and verified settings for IPsec and IKE encryption authentication
algorithms on the Microsoft Windows and Linux platforms:
Ta b l e 44-1 IKE Transform Configuration Parameters
Parameter Accepted Values Keyword Default Value
encryption algorithm 56-bit DES-CBC
168-bit DES
128-bit AES
des
3des
aes
3des
hash algorithm SHA-1 (HMAC variant)
MD5 (HMAC variant)
sha
md5
sha
authentication method Preshared keys Not configurable Preshared keys
DH group identifier 768-bit DH
1024-bit DH
1536-bit DH
1
2
5
1
Platform IKE IPsec
Microsoft iSCSI initiator,
Microsoft IPsec implementation
on Microsoft Windows 2000
platform
3DES, SHA-1 or MD5,
DH group 2
3DES, SHA-1
Cisco iSCSI initiator,
Free Swan IPsec implementation
on Linux platform
3DES, MD5, DH group 1 3DES, MD5
To Next Page
Loading...
