Fibre Channel (SAN)

Reply
Contributor
Posts: 34
Registered: ‎03-02-2010

How to enable IPsec on FCIP SAN Switch

Hello

I would like to know how to enable IPsec on FCIP SAN Switch.

Please advise

Thanks

Chetan R

Regular Contributor
Posts: 201
Registered: ‎11-24-2009

Re: How to enable IPsec on FCIP SAN Switch

Hi rangarao_chetan,

The answer depends on the models you use (7500 or 7800).

Please refer to Fabric OS FCIP Administrator's Guide (53-1001766-01) for implementation details.

Hope this helps,

Linar

Contributor
Posts: 34
Registered: ‎03-02-2010

Re: How to enable IPsec on FCIP SAN Switch

Hello Linar

It is a MP-7800 router

Thanks

Chetan R

Regular Contributor
Posts: 201
Registered: ‎11-24-2009

Re: How to enable IPsec on FCIP SAN Switch

In this case I'd start with section IPsec implementation over FCIP tunnels on page 20 (page 28 if it's FOS 7.0 Guide).

Here is a snippet from the manual:

IPsec is enabled as an option the portcfg fciptunnel create and modify commands. The -i option
activates IPsec. The -K option specifies the IKE key. The -l (legacy) option specifies to use the IPsec
connection process compatible with Fabric OS releases prior to v7.0. Note that this option is a
disruptive modify request that causes the tunnel to bounce.

The IKE key must be a shared 32-character string. Both ends of the secure tunnel must be
configured with the same key string. If both ends are not configured with the same key, the tunnel
will not come up. The following examples show IPsec and IKE keys enabled for traffic from VE_Ports
16 and 17 across multiple FCIP circuits.

portcfg fciptunnel 16 create 192.168.0.90 192.168.0.80 50000 -x 0 -d c0 -i
-K12345678901234567890123456789012 -l

Hope this helps,

Linar

Contributor
Posts: 34
Registered: ‎03-02-2010

Re: How to enable IPsec on FCIP SAN Switch

Hello Linar

Thank you for your reply

1. Do we need to first configure IPSec or IKE policy on the MP7800 before enabling it as per command example below?

# portcfg fciptunnel 16 create 192.168.0.90 192.168.0.80 50000 -x 0 -d c0 –I -K12345678901234567890123456789012

2. Does the tunnel need to be down during the implementation IPSec?

3. How/Where is the IKE strings created?

Contributor
Posts: 34
Registered: ‎03-02-2010

Re: How to enable IPsec on FCIP SAN Switch

Hello Linar

In addition to the above i have two more queries

4. What is the difference of IKE and IPSec policy? Should I create two separate policy or one?

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: How to enable IPsec on FCIP SAN Switch

HI,

IKE is the share secret to identify both sides. It is used to to exchange the encryption key in a secure way which is used by IPsec later. The IKE is a string which you have to provide.  Otherwise the link will not came up.

IPsec is a procedure to de & encrypt the data between both links.

I hope this helps,

Andreas

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.