HP StorageWorks 8/20q Fibre Channel Switch Command Line Interface Guide 25
Managing IP security
To modify IP security, you must open an Admin session with the admin start command, then open an
Ipsec Edit session with the ipsec edit command. The Admin session prevents other accounts from
making changes at the same time through Telnet, Simple SAN Connection Manager, or any other
management application. The Ipsec Edit session provides access to the ipsec, ipsec association
and ipsec policy commands with which you make modifications to the IP security configuration, as
shown in the following example:
8/20q FC Switch #> admin start
8/20q FC Switch (admin) #> ipsec edit
8/20q FC Switch (admin-ipsec)#> ipsec . . .
8/20q FC Switch (admin-ipsec)#> ipsec policy . . .
8/20q FC Switch (admin-ipsec)#> ipsec association. . .
The ipsec save command saves the changes you made during the Ipsec Edit session. Changes take
effect immediately.
8/20q FC Switch (admin-ipsec)#> ipsec save
To close the Ipsec Edit session without saving changes, enter the ipsec cancel command.
8/20q FC Switch (admin-ipsec)#> ipsec cancel
The admin end command releases the Admin session for other administrators when you are finished
making changes to the switch.
To remove all IP security policies and associations, enter the reset ipsec command.
8/20q FC Switch (admin) #> reset ipsec
The following describes IP security concepts and IP security management tasks:
• IP security concepts, page 25
• Displaying IP security information, page 26
• Managing the security policy database, page 27
• Managing the security association database, page 30
• Resetting the IP security configuration, page 33
IP security concepts
IP security provides encryption-based security for IPv4 and IPv6 communications through the use of security
policies and associations. Security policies are located in the security policy database and define the
following parameters:
• Connection source and destination
• Data traffic direction: inbound or outbound
• Protocols for which to protect data traffic
• Security protocols; Authentication Header (AH) or Encapsulating Security Payload (ESP)
• Level of protection: IP Security, discard, or none
Security associations are located in the security association database and define the encryption algorithm
and encryption key to apply when called by a security policy. A security policy may call several
associations at different times, but each association is related to only one policy.
Uses of security policies
Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections;
providing one policy for each direction. For example, to secure the connection between two hosts, you
need two policies: one for outbound traffic from the source to the destination, and another for inbound
traffic to the source from the destination. You can specify sources and destinations by IP addresses (version
4 or 6) or DNS host names. If a host name resolves to more than one IP address, the switch creates the
necessary policies and associations. You can recognize these dynamic policies and associations because
their names begin with DynamicSP_ and DynamicSA_ respectively.
To Next Page
Loading...
Need help?
General