10-25-2011 04:03 AM
The answer depends on the models you use (7500 or 7800).
Please refer to Fabric OS FCIP Administrator's Guide (53-1001766-01) for implementation details.
Hope this helps,
10-25-2011 04:34 AM
In this case I'd start with section IPsec implementation over FCIP tunnels on page 20 (page 28 if it's FOS 7.0 Guide).
Here is a snippet from the manual:
IPsec is enabled as an option the portcfg fciptunnel create and modify commands. The -i option
activates IPsec. The -K option specifies the IKE key. The -l (legacy) option specifies to use the IPsec
connection process compatible with Fabric OS releases prior to v7.0. Note that this option is a
disruptive modify request that causes the tunnel to bounce.
The IKE key must be a shared 32-character string. Both ends of the secure tunnel must be
configured with the same key string. If both ends are not configured with the same key, the tunnel
will not come up. The following examples show IPsec and IKE keys enabled for traffic from VE_Ports
16 and 17 across multiple FCIP circuits.
portcfg fciptunnel 16 create 192.168.0.90 192.168.0.80 50000 -x 0 -d c0 -i
Hope this helps,
10-27-2011 07:32 AM
Thank you for your reply
1. Do we need to first configure IPSec or IKE policy on the MP7800 before enabling it as per command example below?
# portcfg fciptunnel 16 create 192.168.0.90 192.168.0.80 50000 -x 0 -d c0 –I -K12345678901234567890123456789012
2. Does the tunnel need to be down during the implementation IPSec?
3. How/Where is the IKE strings created?
10-29-2011 03:08 AM
IKE is the share secret to identify both sides. It is used to to exchange the encryption key in a secure way which is used by IPsec later. The IKE is a string which you have to provide. Otherwise the link will not came up.
IPsec is a procedure to de & encrypt the data between both links.
I hope this helps,