Reference Guide
Brocade Fabric OS Command Reference 453
53-1004112-02
ipSecConfig
Example 2
The following example illustrates how to secure traffic between two systems using ESP protection with
3DES_CBC encryption and SHA1 authentication, and how to configure IKE with RSA Certificates signed by the
certification authority (CA). The two systems are A SWITCH, BROCADE300 (IPv6 address
fe80::220:1aff:fe34:2e82), and an external UNIX host (IPv6 address fe80::205:1fff:fe51:f09e).
1. On the system console, log in to the switch as Admin and enable IPSec.
switch:admin> ipsecconfig --enable
2. Create an IPSec SA policy named ESP01, which uses ESP protection with 3DES and SHA1.
switch:admin> ipsecconfig --add policy ips sa -t ESP01 \
-p esp -enc 3des_cbc -auth hmac_sha1
3. Create an IPSec proposal IPSEC-ESP to use ESP01 as the SA.
switch:admin> ipsecconfig --add policy ips sa-proposal \
-t IPSEC-ESP -sa ESP01
4. Configure the SA proposal lifetime in seconds.
switch:admin> ipsecconfig --add policy ips sa-proposal \
-t IPSEC-ESP -lttime 280000 -sa ESP01
5. Import the public key for the BROCADE300 (Brocade300.pem), the private key for BROCADE300
(Brocade300-key.pem), and the public key of the external host (remote-peer.pem) in X.509 PEM format
from the remote certificate server (10.6.103.139).
switch:admin> seccertutil import -ipaddr 10.103.6.139 \
-remotedir /root/certs -certname Brocade300.pem
switch:admin> seccertutil import -ipaddr 10.103.6.139 \
-remotedir /root/certs -certname Brocade300-key.pem