HP StorageWorks SN6000 Fibre Channel Switch Command Line Interface Guide 25
Managing IP security
To modify IP security, you must open an Admin session with the admin start command, then open an
Ipsec Edit session with the ipsec edit command. The Admin session prevents other accounts from
making changes at the same time through Telnet, Simple SAN Connection Manager, or any other
management application. The Ipsec Edit session provides access to the ipsec, ipsec association
and ipsec policy commands with which you make modifications to the IP security configuration, as
shown in the following example:
SN6000 FC Switch #> admin start
SN6000 FC Switch (admin) #> ipsec edit
SN6000 FC Switch (admin-ipsec)#> ipsec . . .
SN6000 FC Switch (admin-ipsec)#> ipsec policy . . .
SN6000 FC Switch (admin-ipsec)#> ipsec association. . .
The ipsec save command saves the changes you made during the Ipsec Edit session. Changes take
effect immediately.
SN6000 FC Switch (admin-ipsec)#> ipsec save
To close the Ipsec Edit session without saving changes, enter the ipsec cancel command.
SN6000 FC Switch (admin-ipsec)#> ipsec cancel
The admin end command releases the Admin session for other administrators when you are finished
making changes to the switch.
To remove all IP security policies and associations, enter the reset ipsec command.
SN6000 FC Switch (admin) #> reset ipsec
The following subsections describe IP security concepts and IP security management tasks.
IP security concepts
IP security provides encryption-based security for IPv4 and IPv6 communications through the use of security
policies and associations. Security policies are located in the security policy database and define the
following parameters:
• Connection source and destination
• Data traffic direction: inbound or outbound
• Protocols for which to protect data traffic
• Security protocols; Authentication Header (AH) or Encapsulating Security Payload (ESP)
• Level of protection: IP Security, discard, or none
Security associations are located in the security association database and define the encryption algorithm
and encryption key to apply when called by a security policy. A security policy may call several
associations at different times, but each association is related to only one policy.
Uses of security policies
Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections;
providing one policy for each direction. For example, to secure the connection between two hosts, you
need two policies: one for outbound traffic from the source to the destination, and another for inbound
traffic to the source from the destination. You can specify sources and destinations by IP addresses (version
4 or 6) or DNS host names. If a host name resolves to more than one IP address, the switch creates the
necessary policies and associations. You can recognize these dynamic policies and associations because
their names begin with DynamicSP_ and DynamicSA_ respectively.
Applying IP security
You can apply IP security to all communication between two systems, or to selected protocols, such as the
Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), or the User Datagram
Protocol (UDP). Furthermore, instead of applying IP security, you can choose to discard all inbound or
outbound traffic, or to allow all traffic without encryption. Both the AH and ESP security protocols provide
source authentication, ensure data integrity, and protect against replay.
To Next Page
Loading...
Need help?
General