Brocade Fabric OS Command Reference Manual (53-1000240-01, November 2006)

ManualsBrandsHP ManualsComputer AccessoriesHP SN8000B 4-slot Director Enterprise ICL E-LTU

451

452

453

454

455

456

457

458

459

460

2-426 Fabric OS Command Reference Manual

Publication Number: 53-1000240-01

policy

Note: Enter commands in lowercase only; mixed case is for readability.

policy

Displays or modifies the encryption and authentication algorithms for security policies.

Synopsis policy option type number [--enc method] [--auth algorithm] [--pfs value] [--dh group] [--seclife sec-

onds]

Description Use this command to display or modify the encryption and authentication algorithms for security

policies. You can configure a maximum of 32 Internet key exchange (IKE) and 32 Internet protocol

security (IPSec) policies.

Each FCIP tunnel is configured separately and might have the same or different IKE and IPSec policies.

Policies cannot be altered. To change the parameters associated with a current IKE or IPSec policy, that

policy needs to be deleted and re-created with new parameters.

A policy cannot be deleted while an active FCIP tunnel is using it.

Operands option Specifies the action to take. Actions include:

--create Creates the policy.

--delete Deletes the policy.

--show Displays the policy.

type Specifies the policy type. Types include:

--ike Internet key exchange.

--ipsec Internet protocol security.

number Specifies the numeric ID of the policy. Valid values are 1 to 32, and ALL with the

--show option.

Optional

Operands

--enc method Specifies the encryption algorithm. The default is AES-128. Methods include:

3DES Triple data encryption standard, 192-bit key.

AES-128 Advanced encryption standard, 128-bit key.

AES-256 Advanced encryption standard, 256-bit key.

--auth algorithm Specifies the authentication algorithm. The default is SHA-1. Algorithms include:

SHA-1 Secure hash algorithm.

MD5 Message digest 5

AES-XCBC Advanced encryption standard. Valid only wiht IPSec.

--pfs value Specifies the perfect forward secrecy. This operand is valid only with IKE

policies. Values are on (default) or off.

--dh group Specifies the Diffie-Hellman group used in PFS negotiation. This operand is valid

only with IKE policies. The default is 1. Values include:

1 Fastest as it uses 768 bit values, but least secure.

14 Slowest as it uses 2048 bit values, but most secure.

--seclife seconds Security association lifetime in seconds. A new key is renegotiated before seconds

expires. seconds must be between 28800 to 250000000 or 0. The default is 28800.