HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

432 Configuring and monitoring FCIP extension services

IPSec policies are managed using the policy command.

You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted

and recreated in order to change the parameters. You can delete and recreate any policy as long as the

policy is not being used by an active FCIP tunnel.

Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as

any other tunnel. Only one IPSec tunnel can be configured for each GbE port.

IPSec parameters

When creating policies, the parameters listed in Table 98 are fixed and cannot be modified:

The parameters listed inTable 99 can be modified:

Table 98 Fixed policy parameters

Parameter Fixed Value

IKE negotiation protocol Main mode

ESP Tunnel mode

IKE negotiation authentication method Preshared key

3DES encryption Key length of 168 bits

AES encryption Key length of 128 or 256

Table 99 Modifiable policy parameters

Parameter Description

Encryption Algorithm 3DES—168-bit key

A ES -128 — 128-bi t key ( d efa u lt)

AES-256—256-bit key

Authentication Algorithm SHA-1—Secure Hash Algorithm (default)

MD5—Message Digest 5

AES-XCBC—Used only for IPSec

Security Association lifetime in

seconds

The lifetime in seconds of the security association. If PFS is

enabled, a new IKE SA using new key material will be

negotiated before this value expires. Default is 28800 sec.

PFS (Perfect Forward Secrecy) Applies only to IKE policies. Choices are On/Off and

default is On.

Diffie-Hellman group Group 1—768 bits (default)

Group 14—2048 bits