Configure IPsec Tunnels on Fabric IPsec Gateway VM
About this task
Perform this procedure to configure IPsec tunnels on Fabric IPsec Gateway Virtual Machine (VM).
Procedure
Example
Configure parameters for IPsec tunnel on Fabric IPsec Gateway VM:
Switch:1> enable Switch:1# virtual-service figw console Connected to domain figw Escape character is ^Y <cr> FIGW> set ipsec 1 ipsec-dest-ip 192.0.2.5 FIGW> set ipsec 1 mtu 1950 FIGW> set ipsec 1 auth-key abcd FIGW> set ipsec 1 tunnel-name Tunnel-to-BEB2 FIGW> set ipsec 1 fe-tunnel-dest-ip 192.0.2.15 FIGW> set ipsec 1 esp aes256gcm16-sha256 FIGW> set ipsec 1 admin-state enable
Variable Definitions
The following table defines parameters for the set ipsec command.
Variable | Value |
---|---|
<1-255> | Specifies the unique ID for the IPsec tunnel. |
admin-state <enable | disable> | Enables or disables IPsec on the specific IPsec tunnel. |
auth-key WORD <1-32> | Specifies the pre-shared authentication key. Note:
Do not use special characters ?, \, &, <, >, #. |
encryption-key-length <128 | 256> |
Specifies the encryption key length for the IPsec tunnel. The default encryption key length is 128. As a best practice, use the newer esp parameter instead; the encryption-key-length parameter remains for backward compatibility. |
esp <aes128gcm16-sha256 | aes256-sha256 | aes256gcm16-sha256> |
Specifies the ESP cipher suites for the IPsec tunnel. The default is aes128gcm16-sha256. aes256-sha256 is not supported in the current release. |
fe-tunnel-dest-ip {A.B.C.D} |
Specifies the destination IP address for Fabric Extend (FE) tunnel. |
ipsec-dest-ip {A.B.C.D} |
Specifies the destination IP address for IPsec tunnel. |
mtu <1300-9000 |
Specifies the Maximum Transmission Unit (MTU) value for the FE tunnel with both IPsec and fragmentation and assembly capabilities. |
responder-only <true | false> |
Specifies if the IPsec session in the FE tunnel will be in responder only mode or initiator mode. When in responder mode the FE tunnel will only respond to the incoming request and not initiate the IPsec connection. By default both sides of IPSec connection will be initiators in the FE tunnel. Configure the IPsec tunnel to be in responder only mode when there is Network Address Translation (NAT) between the IPsec connection. Note: IPsec Network
Address Translation (NAT) is not supported on 5720 Series.
|
tunnel-name WORD <1-64> |
Specifies a name for the IPsec tunnel. |
egress-shaping-rate <1-1000> |
Specifies the egress shaper rate for the IPsec tunnel. |