238 Fabric OS Administrator’s Guide
53-1002745-02
Management interface security
7
10. Verify traffic is protected.
a. Initiate a telnet, SSH, or ping session from the two switches.
b. Verify that IP traffic is encapsulated.
c. Monitor IP sec SAs created using IKE for above traffic flow
• Use the IP secConfig -–show manual-sa –a command with the operands specified to
display the outbound and inbound SAs in kernel SADB.
• Use the IP secConfig –-show policy ips sa -a command with the specified operands to
display all IP sec SA policies.
• Use the IP secConfig –-show policy ips sa-proposal –a command with the specified
operands to display IP sec proposals.
• Use the IP secConfig –-show policy ips transform –a command with the specified
operands to display IP sec transforms.
• Use the IP secConfig –-show policy ips selector –a command with the specified
operands to display IP sec traffic selectors.
• Use the IP secConfig –-show policy ike –a command with the specified operands to
display IKE policies.
• Use the IP secConfig –-flush manual-sa command with the specified operands to
flush the created SAs in the kernel SADB.
Example of an end-to-end transport tunnel mode
This example illustrates securing traffic between two systems using AH protection with MD5 and
configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address
10.33.74.13), and an external host (10.33.69.132).
A backslash ( \ ) is used to skip the return character so you can continue the command on the next
line without the return character being interpreted by the shell.
1. On the system console, log in to the switch as Admin.
2. Enable IP sec.
a. Connect to the switch and log in using an account with admin permissions, or an account
with OM permissions for the IP sec RBAC class of commands.
b. Enter the IP secConfig
--enable command to enable IP sec on the switch.
3. Create an IP sec SA policy named AH01, which uses AH protection with MD5.
switch:admin> IP secconfig --add policy ips sa -t AH01 \
-p ah -auth hmac_md5
4. Create an IP sec proposal IP sec-AH to use AH01 as SA.
switch:admin> IP secconfig --add policy ips sa-proposal \
-t IP sec-AH -sa AH01
5. Configure the SA proposal's lifetime in time units. The maximum lifetime is 86400, or one day.
switch:admin> IP secconfig --add policy ips sa-proposal \
-t IP sec-AH -lttime 86400 -sa AH01
To Next Page
Loading...
Need help?
General