Manualshelf

Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-8000
71727374757677787980
Fabric OS FCIP Administrator’s Guide 59
53-1002474-01
IPsec implementation over FCIP
3
Limitations using IPsec over FCIP tunnels
The following limitations apply to using IPsec:
IPsec can only be configured on IPv4-based tunnels.
Network Address Translation (NAT) is not supported.
Authentication Header (AH) is not supported.
You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel on
the same port as a secure tunnel.
IPsec-specific statistics are not supported.
To change the configuration of a secure tunnel, you must delete the tunnel and recreate it.
Jumbo frames are not supported for IPsec.
There is no RAS message support for IPsec.
Only a single route is supported on an interface with a secure tunnel.
Secure tunnels cannot be created on a Brocade FR4-18i blade if any IPv6 addresses are
defined on either ge0 or ge1.
Secure tunnels cannot be defined with VLAN Tagged connections.
Configuring IPsec
IPsec requires predefined configurations for IKE and IPsec. You can enable IPsec only when these
configurations are well-defined and properly created in advance.
The following describes the sequence of events that invokes the IPsec protocol.
1. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process.
2. IKE negotiates SAs and authenticates IPsec peers, and sets up a secure channel for
negotiation of phase 2 (IPsec) SAs.
ESP Encapsulating Security Payload is the IPsec protocol that provides confidentiality, data integrity
and data source authentication of IP packets, and protection against replay attacks.
IKE Internet Key Exchange is defined in RFC 2407, RFC 2408 and RFC 2409. IKEv2 is defined in
RFC 4306. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from
which cryptographic keys are derived and communicating parties are authenticated. The IKE
protocol creates a security association (SA) for both parties.
MD5 Message Digest 5, like SHA-1, is a popular one-way hash function used for authentication and
data integrity.
SHA Secure Hash Algorithm, like MD5, is a popular one-way hash function used for authentication
and data integrity.
MAC Message Authentication Code is a key-dependent, one-way hash function used for generating
and verifying authentication data.
HMAC A stronger MAC because it is a keyed hash inside a keyed hash.
SA Security Association is the collection of security parameters and authenticated keys that are
negotiated between IPsec peers.
TABLE 10 IPsec terminology (Continued)
Term Definition