Optional Ike Parameter Configuration - Cisco MDS 9000 Series Configuration Manual

Security

Hide thumbs Also See for MDS 9000 Series:

Command reference manual (1464 pages)

Configuration manual (344 pages)

Troubleshooting manual (161 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

page of 296

/ 296
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring IPSec Network Security

Note

Step 20

switch(config-ike-ipsec-policy)# no authentication

Reverts to the default (pre-share).

Example

Note

• When the authentication method is rsa-sig, make sure the identity hostname is configured for

• Before you downgrade to Cisco MDS NX-OS Release 5.2(x), unconfigure the preshared key.

Optional IKE Parameter Configuration

You can optionally configure the following parameters for the IKE feature:

• The lifetime association within each policy—The lifetime ranges from 600 to 86,400 seconds. The default

• The keepalive time for each peer if you use IKEv2—The keepalive ranges from 120 to 86,400 seconds.

• The initiator version for each peer—IKE v1 or IKE v2 (default). Your choice of initiator version does

Note

Only IKE v1 is supported to build IPsec between 2.x and 3.x MDS switches.

To use RSA signatures for authentication you must configure identity authentication mode using

the FQDN (see Step 3).

IKE because the IKE certificate has a subject name of the FQDN type.

Once downgrading is complete, reconfigure the preshared key using the key key-name hostname

host or key key-name address ip-address commands.

is 86,400 seconds (equals one day). The lifetime association within each policy is configured when you

are creating an IKE policy. See

The default is 3,600 seconds (equals one hour).

not affect interoperability when the remote device initiates the negotiation. Configure this option if the

peer device supports IKEv1 and you can play the initiator role for IKE with the specified device. Use

the following considerations when configuring the initiator version with FCIP tunnels:

• If the switches on both sides of an FCIP tunnel are running MDS SAN-OS Release 3.0(1) or later,

or Cisco NX-OS 4.1(1) you must configure initiator version IKEv1 on both sides of an FCIP tunnel

to use only IKEv1. If one side of an FCIP tunnel is using IKEv1 and the other side is using IKEv2,

the FCIP tunnel uses IKEv2.

• If the switch on one side of an FCIP tunnel is running MDS SAN-OS Release 3.0(1) or later, or

Cisco NX-OS 4.1(1b) and the switch on the other side of the FCIP tunnel is running MDS SAN-OS

Release 2.x, configuring IKEv1 on either side (or both) results in the FCIP tunnel using IKEv1.

Configuring an IKE Policy, on page

Cisco MDS 9000 Series Security Configuration Guide, Release 8.x

Optional IKE Parameter Configuration

179.

181

Table of Contents

Chapters

Table of Contents

Optional Ike Parameter Configuration - Cisco MDS 9000 Series Configuration Manual

Optional IKE Parameter Configuration

Chapters

Related Manuals for Cisco MDS 9000 Series

Related Content for Cisco MDS 9000 Series

Table of Contents