04-13-2010 09:27 AM
I want to know how to enable ipsec on fcip tunnels between two 7500B routers running FOS 6.2.0g. I have read the manual and it talks about ipseconfig command and gives a lengthy procedure. I have also read another teknote about the policy command to create ipsec and ike policies on both switches and then creating the tunnels on both sides using the same ipsec and ike policies with a shared key. But that didn't work. I did that on one tunnel but the other tunnel which was not touched also went offline. Does anybody know what sequence of steps I should follow to enable ipsec on the tunnels.
04-14-2010 01:51 AM
for begin, this are the elementary Step in order to Create / Enable IPsec on FCIP, see below.
IPsec works on FCIP tunnels with or without IP compression (IPComp), FCIP Fastwrite, and Tape Pipelining. IPsec can only be
created on tunnels using IPv4 addressing.
The following limitations apply to using IPsec:
• NAT and AH are not supported.
• You can only create a single secure tunnel on a port. You cannot create a nonsecure tunnel on
the same port as a secure tunnel.
• IPsec-specific statistics are not supported.
• To change the configuration of a secure tunnel, you must delete the tunnel and recreate it.
• Jumbo frames are not supported for IPsec.
• There is no RAS message support for IPsec.
• Only a single route is supported on an interface with a secure tunnel.
• IPsec can only be configured on IPv4 based tunnels.
• Secure Tunnels cannot be defined with VLAN Tagged connections.
IPsec requires predefined configurations for Internet Key Exchange (IKE) and IPsec. You can
enable IPsec only when these configurations are well-defined and properly created in advance.
The following describes the sequence of events that invokes the IPsec protocol.
1. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process.
2. IKE negotiates SAs and authenticates IPsec peers, and sets up a secure channel for
negotiation of phase 2 (IPsec) SAs.
3. IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated
SA parameters include encryption and authentication algorithms, Diffie-Hellman key exchange,
and SA lifetimes.
4. Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the
5. IPsec tunnel termination. SA lifetimes terminate through deletion or by timing out.
All of these steps require that the correct policies have been created.
Because policy creation is an independent procedure from FCIP tunnel creation, you must know which
IPsec configurations have been created.
This ensures that you choose the correct configurations when you enable an IPsec tunnel.
The first step to configuring IPsec is to create a policy for IKE and a policy for IPsec.
Once the policies have been created, you assign the policies when creating the FCIP tunnel.
IKE negotiates SA parameters and authenticates the peer using the preshared key authentication
method. Once the two phases of the negotiation are completed successfully,
the actual encrypted data transfer can begin.
IPsec policies are managed using the policy command.
You can configure up to 32 IKE and 32 IPsec policies. Policies cannot be modified; they must be
deleted and recreated in order to change the parameters. You can delete and recreate any policy
as long as the policy is not being used by an active FCIP tunnel.
Each FCIP tunnel is configured separately and may have the same or different IKE and IPsec
policies as any other tunnel. Only one IPsec tunnel can be configured for each GbE port.
IPsec-enabled tunnels cannot be modified. They can only be deleted and then recreated with new
options. This is because IPsec key negotiation uses many of the parameter values during secure tunnel initialization.
Creating IKE and IPsec policies
For a complete description of the policy command, see the Fabric OS Command Reference.
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the policy command to create IKE and IPsec policies:
policy --create type number
For details and operand's How to create IKE and IPsec Policies refer the Fabric OS FCIP Administrator Guide.
04-14-2010 11:22 AM
techhelp24. Thanks for the detailed response. I understand what you explained above. Here is what the setup is and what I tried to do . Two 7500 connected over lan. Each with 2 gige connected to the WAN. Currently, each switch has two fcip tunnels, one tunnel per gige port and both tunnels are up. I created one ipsec and one ike policy on each switch using the policy command. For consistency sake, I used policy number 1 for both ipsec and ike on both switches. I deleted tunnel id 0 on ge0 on both switches leaving tunnel 0 on ge1 up. Then i recreated tunnel 0 on ge0 with ipsec and ike policy number 1 for both and used a shared phrase and did the same thing on the other switch. This newly created tunnel didn't come up but doing this also caused the tunnel on ge1 to go offline without even being touched. I am not sure what happened but it didn't work. is there any timing issue when creating the tunnels ?
04-14-2010 09:36 PM
Quick question, which FOS release is current loaded ?
...nevermind, I've just see in the threads, FOS 6.2.0g
Message was edited by: TechHelp24