Deployment Guide

ManualsBrandsDell ManualsserversDell Brocade 5100

541

542

543

544

545

546

547

548

549

550

Fabric OS Command Reference 519

53-1003131-01

ipSecConfig

type

Specifies the policy to be created. Supported policies include the following:

policy ips

Creates or modifies an IPSec policy. This policy determines the security services

afforded to a packet and the treatment of a packet in the network. An IPSec policy

allows classifying IP packets into different traffic flows and specifies the actions or

transformations performed on IP packets on each of the traffic flows. The main

components of an IPSec policy are: IP packet filter/selector (IP address, protocol,

and port information) and transform set.

subtype

A subtype is required when configuring an IPSec policy. The subtype

specifies the components to be configured. The following are required

subtypes for the IPSec policy:

selector

Creates a selector that is applied to the IP data traffic. A selector consists of a

set of parameters that identify the IP traffic that needs IPSec protection. To

configure the selector, the following parameters must be specified:

-tag name

Specifies a name for the selector. This is a user-generated name. The name

must be between 1 and 32 characters in length, and may include

alphanumeric characters, dashes (-), and underscores (_).

-direction in | out

Specifies traffic flow direction as inbound or outbound.

-local IP_address[prefixlength]

Specifies the source IPv4 or IPv6 address.

-remote IP_address[/prefixlength]

Specifies the peer IPv4 or IPv6 address

-transform name

Specifies the transform to be included in the selector. You must create the

transform before you can use in the selector. Use ipsecConfig --show policy

ips transform to display existing transforms.

-protocol protocol_name

Specifies the upper layer protocols to be selected for IPSec protection. Valid

protocols include tcp, udp, icmp or any. When any is specified all existing

protocols are selected for protection. This operand is optional.

transform

Creates the IPSec transform set. The transform set is a combination of IPSec

protocols and cryptographic algorithms that are applied on the packet after it

is matched to a selector. The transform set specifies the IPSec protocol, the

IPSec mode, and the action to be performed on the IP packet. It also

specifies the key management policy that is needed for the IPSec connection

and the encryption and authentication algorithms to be used in security

associations when IKE is used as key management protocol. The following

operands are required:

-tag name

Specifies a name for the transform. This is a user-generated name. The

name must be between 1 and 32 characters in length, and may include

alphanumeric characters, dashes (-), and underscores (_).