HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)

ManualsBrandsHP ManualsStorageHP 8/80 Base (48) Full Fabric Ports Enabled SAN Switch

461

462

463

464

465

466

467

468

469

470

462 Configuring and monitoring FCIP extension services

The first step to configuring IPsec is to create a policy for IKE and a policy for IPsec. Once the policies have

been created, you assign the policies when creating the FCIP tunnel.

IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method.

Once the two phases of the negotiation are completed successfully, the actual encrypted data transfer can

begin.

IPsec policies are managed using the policy command.

You can configure up to 32 IKE and 32 IPsec policies. Policies cannot be modified; they must be deleted

and re-created in order to change the parameters. You can delete and re-create any policy as long as the

policy is not being used by an active FCIP tunnel.

Each FCIP tunnel is configured separately and may have the same or different IKE and IPsec policies as

any other tunnel. Only one IPsec tunnel can be configured for each GbE port.

IPsec parameters

When creating policies, the parameters listed in Table 93 are fixed and cannot be modified.

The parameters listed inTable 94 can be modified.

Creating an IKE and IPsec policy

For a complete description of the policy command, see the Fabric OS Command Reference.

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the policy command to create IKE and IPsec policies:

policy --create type number [-enc encryption_method][-auth

authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs]

Table 93 Fixed policy parameters

Parameter Fixed Value

IKE negotiation protocol Main mode

ESP Tunnel mode

IKE negotiation authentication method Preshared key

3DES encryption Key length of 168 bits

AES encryption Key length of 128 or 256

Table 94 Modifiable policy parameters

Parameter Description

Encryption Algorithm 3DES—168-bit key

AES-128—128-bit key (default)

AES-256—256-bit key

Authentication Algorithm SHA-1—Secure Hash Algorithm (default)

MD5—Message Digest 5

AES-XCBC—Used only for IPsec

Security Association lifetime in

seconds

Security association lifetime in seconds. A new key is

renegotiated before seconds expires. seconds must be between

28800 to 250000000 or 0. The default is 28800.

PFS (Perfect Forward Secrecy) Applies only to IKE policies. Choices are On/Off and

default is On.

Diffie-Hellman group Group 1—768 bits (default)

Group 14—2048 bits