Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

471

472

473

474

475

476

477

478

479

480

Brocade Fabric OS Command Reference 447

53-1004112-02

ipSecConfig

-lttime number

Specifies the key lifetime in seconds. If a lifetime is not specified, the keys do not expire.

If a lifetime is specified both in seconds and in bytes, the keys expire when the first

expiration criterion is met.

-ltbyte number

Specifies the key lifetime in bytes. The keys expire after the specified number of bytes

have been transmitted.

-pfs on | off

Enables or disables Perfect Forward Secrecy (PFS). PFS is disabled by default. When

PFS is disabled, IKE uses the initial master key it generates in Phase1 to generate the

keys for SA connections in Phase2. When PFS is enabled, a new key is generated for

keying the SAs. Enabling PFS may provide enhanced protection against keys

compromise.

-version 1 | 2

Specifies the IKE version. This operand is optional. If not specified, IKEv2 is used (2). If

1 is specified, IKEv1 is selected. Use -v 2 to revert to version 2 after version 1 was set.

manual-sa

Creates manually keyed SADB entries. When using this option, you must generate the keys

manually, The lifetime of an SA entry created using this command is infinite. You cannot

modify manually keyed SA entries. Use ipsecConfig --flush, or ipsecConfig --delete and

recreate the entries. The syntax for creating an SADB entry is as follows:

ipsecconfig --add manual-sa arguments.

arguments

Valid arguments for manual-sa include the following:

-sp number

Specifies the security parameter index (SPI) for the SA. This is a user-defined index.

Valid SPI numbers consist of numeric characters (0-9).

-local ipaddress

Specifies the local IPv4 or IPv6 address.

-remote ipaddress

Specifies the remote IPv4 or IPv6 address.

-protocol protocol_name

Specifies the upper layer protocols to be selected for protection. Valid protocols include

tcp, udp, icmp or any. When any is specified all existing protocols are selected for

protection.

-ipsec ah | esp

Specifies the IPSec protocol. Encapsulating Security Payload (ESP) provides

confidentiality, data integrity and data source authentication of IP packets, and

protection against replay attacks. Authentication Header (AH) provides data integrity,

data source authentication, and protection against replay attacks but, unlike ESP, does

not provide confidentiality.

-action discard | bypass | protect

Specifies the IPSec protection type regarding the traffic flows.