HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)
390 Configuring and monitoring FCIP extension services
• IPSec can be configured only on IP V4-based tunnels. Secure tunnels can not be created on a 400
Multi-protocol Router or FR4-18i blade if any IP V6 addresses are defined on either ge0 or ge1.
• Secure Tunnels cannot be defined with VLAN Tagged connections.
Configuring IPSec
IPSec requires predefined configurations for IKE and IPSec. You can enable IPSec only when these
configurations are well-defined and properly created in advance.
The following describes the sequence of events that invokes the IPSec protocol.
1. Traffic from an IPSec peer with the lower local IP address initiates the IKE negotiation process.
2. IKE negotiates SAs and authenticates IPSec peers, and sets up a secure channel for negotiation of
phase 2 (IPSec) SAs.
3. IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA
parameters include encryption and authentication algorithms, Diffie-Hellman key exchange, and SA
lifetimes.
4. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA
database.
5. IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out.
All of these steps require that the correct policies have been created. Because policy creation is an
independent procedure from FCIP tunnel creation, you must know which IPSec configurations have been
created. This ensures that you choose the correct configurations when you enable an IPSec tunnel.
The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies
have been created, you assign the policies when creating the FCIP tunnel.
IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method.
Once the two phases of the negotiation are completed successfully, the actual encrypted data transfer can
begin.
IPSec policies are managed using the policy command.
You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted
and recreated in order to change the parameters. You can delete and recreate any policy as long as the
policy is not being used by an active FCIP tunnel.
Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as
any other tunnel. Only one IPSec tunnel can be configured for each GbE port.
IPSec parameters
When creating policies, the parameters listed in Table 87 are fixed and cannot be modified:
Table 87 Fixed policy parameters
Parameter Fixed Value
IKE negotiation protocol Main mode
ESP Tunnel mode
IKE negotiation authentication method Preshared key
3DES encryption Key length of 168 bits
AES encryption Key length of 128 or 256