5720-24MXW and 5720-48MXW switches support IPsec authentication and encryption of Fabric Extend tunnels using Fabric IPsec Gateway. The default method for IPsec authentication is a pre-shared key, which is easy to configure, but does not scale well and is less secure than a certificate. You can use a digital certificate, instead of a pre-shared key, to authenticate IPsec for Fabric Extend.
Consider a hub and spoke topology with two branch locations. The network carries both private traffic and encrypted IPsec traffic. To use Public Key Infrastructure (PKI) with IPsec Fabric Extend technology, all devices must acquire the digital-signed certificates. The CA server can be accessed from the devices, a public network, or an internal network. Each device must configure a profile for the CA server. The switch uses Simple Certificate Enrollment Protocol (SCEP) to obtain the trusted, signed certificates.
5720-24MXW and 5720-48MXW support digital certificate configuration through the Fabric IPsec Gateway virtual machine. Fabric IPsec Gateway supports both offline and online certificate management simultaneously. Use offline certificate management if the switches cannot communicate with the CA.
Fabric IPsec Gateway supports multiple CA trustpoints and multiple identity subject certificates. You can use different certificates for different IPsec tunnels. Fabric IPsec Gateway acts like a hub to isolate IPsec domains.
To use IPsec with Digital Certificates:
Configure the Fabric Extend tunnels.
Configure the authentication method as RSA-signature. For more information, see Configure Public Key Infrastructure for IPsec Tunnels.
Configure certificate information in Fabric IPsec Gateway.
For information about certificate configuration, see Extreme Integrated Application Hosting for Fabric IPsec Gateway virtual machine configuration.