Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

Fabric OS Administrator’s Guide 177
53-1002148-02
Management interface security
7
9. Create traffic selectors to select the outbound and inbound traffic that needs to be protected.
switch:admin> ipsecconfig --add policy ips selector \
-t SELECTOR-OUT -d out -l 10.33.74.13 -r 10.33.69.132 \
-transform TRANSFORM01
switch:admin> ipsecconfig --add policy ips selector \
-t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \
-transform TRANSFORM01
10. Verify the IPsec SAs created with IKE using the ipsecConfig --show manual-sa –a command.
11. Perform the equivalent steps on the remote peer to complete the IPsec configuration. Refer to
your server administration guide for instructions.
12. Generate IP traffic and verify that it is protected using defined policies.
a. Initiate Telnet or SSH or ping session from BRCD300 to Remote Host.
b. Verify that the IP traffic is encapsulated.
c. Monitor IPsec SAs created using IKE for the above traffic flow.
Use the ipSecConfig -–show manual-sa –a command with the operands specified to
display the outbound and inbound SAs in the kernel SADB.
Use the ipSecConfig –-show policy ips sa -a command with the specified operands to
display all IPsec SA policies.
Use the ipSecConfig –-show policy ips sa-proposal –a command with the specified
operands to display IPsec proposals.
Use the ipSecConfig –-show policy ips transform –a command with the specified
operands to display IPsec transforms.
Use the ipSecConfig –-show policy ips selector –a command with the specified
operands to display IPsec traffic selectors.
Use the ipSecConfig –-show policy ike –a command with the specified operands to
display IKE policies.
Use the ipSecConfig –-flush manual-sa command with the specified operands to flush
the created SAs in the kernel SADB.
CAUTION
Flushing SAs requires IPsec to be disabled and re-enabled. This operation is disruptive to traffic
on the tunnel.
NOTE
As of Fabric OS 7.0.0, IPsec no longer supports null encryption (null_enc) for IKE policies.
IPv6 policies cannot tunnel IMCP traffic.