Configuring IPsec Configuring IPsec on the OmniSwitch
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 18-11
The above command replaces the old security key with the new key value. The old key value must be
entered to modify an existing key. If an incorrect old key value is entered, then setting the new key will
fail.
When the master security key is set or changed, its value is immediately propagated to the secondary
CMM. When the master security key is changed, save and synchronize the current configuration to ensure
the proper operation of IPsec in the event of a switch reboot or takeover.
Note.
• By default, no master security key is set for the switch. When no master security key is configured for
the switch, the SA key values are written unencrypted to permanent storage (boot.cfg or other
configuration file).
• When running in a virtual chassis setup, the master security key must be manually configured, to the
same value, on each switch.
Configuring an IPsec Policy
A policy determines how traffic is going to be processed. For example, policies are used to decide if a
particular IPv6 packet needs to be processed by IPsec or not. If security is required, the security policy
provides general guidelines as to how it should be provided, and if necessary, links to more specific detail.
Each IPsec security policy is unidirectional and can be applied to IPv6 inbound or outbound traffic
depending upon the security level required for the network. Therefore, in order to cover all traffic between
source and destination, a minimum of two policies need to be defined; one policy for inbound traffic and
another policy for outbound traffic.
To configure an IPsec policy, use the ipsec policy command along with the policy name, source IPv6
address, destination IPv6 address and optional parameters such as IPv6 port number, and protocol to
which the security policy gets applied. For example:
Local System
-> ipsec policy tcp_in source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 protocol
tcp in ipsec description “IPsec on all inbound TCP” admin-state enable
-> ipsec policy tcp_out source 3ffe:1:1:1::1 destination 3ffe:1:1:1:99 protocol
tcp out ipsec description “IPsec on all outbound TCP” admin-state enable
Remote System
-> ipsec policy tcp_out source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 protocol
tcp out ipsec description “IPsec on all outbound TCP” admin-state enable
-> ipsec policy tcp_in source 3ffe:1:1:1::1 destination 3ffe:1:1:1:99 protocol
tcp in ipsec description “IPsec on all inbound TCP” admin-state enable
The above commands configure a bi-directional IPsec policy for IPv6 traffic destined to or from the
specified IPv6 addresses and indicates the traffic should be processed using IPsec.
Prefixes can also be used when configuring a policy to match a range of addresses as shown below:
-> ipsec policy tcp_in source 3ffe::/16 destination 4ffe::/16 protocol tcp in ipsec
description “Any 3ffe to any 4ffe” admin-state enable
To Next Page
Loading...
Need help?
General
