Manualshelf

Deployment Guide

ManualsBrandsDell ManualsserversDell Brocade 6520
241242243244245246247248249250
Using the ipSecConfig command, you must configure multiple security policies for traffic flows on the
Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6 addresses,
the type of application, port numbers, and protocols used (UDP/TCP/ICMP). You must specify the
transforms and processing choices for the traffic flow (drop, protect or bypass). Also, you must select
and configure the key management protocol using an automatic or manual key.
For more information on IPv4 and IPv6 addressing, refer to Performing Basic Configuration Tasks on
page 37.
Configuration examples
Below are several examples of various configurations you can use to implement an IPsec tunnel
between two devices. You can configure other scenarios as nested combinations of these
configurations.
Endpoint-to-endpoint transport or tunnel
In this scenario, both endpoints of the IP connection implement IPsec, as required of hosts in RFC4301.
Transport mode encrypts only the payload while tunnel mode encrypts the entire packet. A single pair of
addresses will be negotiated for packets protected by this SA.
It is possible in this scenario that one or both of the protected endpoints will be behind a network
address translation (NAT) node, in which case tunneled packets will have to be UDP-encapsulated so
that port numbers in the UDP headers can be used to identify individual endpoints behind the NAT.
FIGURE 15 Protected endpoints configuration
A possible drawback of end-to-end security is that various applications that require the ability to inspect
or modify a transient packet will fail when end-to-end confidentiality is employed. Various QoS solutions,
traffic shaping, and firewalling applications will be unable to determine what type of packet is being
transmitted and will be unable to make the decisions that they are supposed to make.
Gateway-to-gateway tunnel
In this scenario, neither endpoint of the IP connection implements IPsec, but the network nodes
between them protect traffic for part of the way. Protection is transparent to the endpoints, and depends
on ordinary routing to send packets through the tunnel endpoints for processing. Each endpoint would
announce the set of addresses behind it, and packets would be sent in tunnel mode where the inner IP
header would contain the IP addresses of the actual endpoints.
Configuration examples
Fabric OS Administrators Guide 245
53-1003130-01