HP StorageWorks Fabric OS 5.3.x administrator guide (5697-0244, November 2009)
408 Configuring and monitoring FCIP tunneling
IPSec parameters
Table 99 lists fixed policy parameters that you cannot modify.
Table 100 lists policy parameters that you may modify.
Managing policies
Use the policy command to create, delete, and show IKE and IPSec policies.
To create a new policy
1. Log in to the switch as admin.
2. At the command prompt, type:
policy --create type number [-enc encryption_method][-auth
authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs]
where:
type and number The type of policy being created (IKE or IPSec) and the number for this type of
policy. To easily determine how many policies have been created, consider using
sequential numbering. The range of valid values is any whole number from 1
through 32.
encryption_method The supported type of encryption. Valid options are 3DES, AES-128, and
AES-256. AES-128 is the default.
authentication_algorithm
The authentication algorithm. Valid options are SHA-1, MD5, and AES-XCBC
(IPSec only). HA-1 is the default.
Table 101 Fixed policy parameters
Parameter Fixed Value
IKE negotiation protocol Main mode
ESP Tunnel mode
IKE negotiation authentication method Preshared key
3DES encryption Key length of 168 bits
AES encryption Key length of 128 or 256
Table 102 Policy parameters
Parameter Description
Encryption Algorithm 3DES—168-bit key
A ES -128 — 128 -bit k ey ( d e f a u l t )
AES-256—256-bit key
Authentication Algorithm SHA-1—Secure Hash Algorithm (default)
MD5—Message Digest 5
AES-XCBC—Used only for IPSec
Security Association lifetime in
seconds
The lifetime in seconds of the security association. If PFS is
enabled, a new IKE SA using new key material will be
negotiated before this value expires. Default is 28800 sec.
PFS (Perfect Forward Secrecy) Applies only to IKE policies. Choices are On/Off and
default is On.
Diffie-Hellman group Group 1—768 bits (default)
Group 14—2048 bits