XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec authentication and encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using Fabric IPsec Gateway. The default method for IPsec authentication is a pre-shared key, which is easy to configure, but does not scale well and is less secure than a certificate. You can use a digital certificate, instead of a pre-shared key, to authenticate IPsec for Fabric Extend.
Consider a hub and spoke topology with two branch locations. The network carries both private traffic and encrypted IPsec traffic. To use Public Key Infrastructure (PKI) with IPsec Fabric Extend technology, all devices must acquire the digital-signed certificates. The CA server can be accessed from the devices, a public network, or an internal network. Each device must configure a profile for the CA server. The switch uses Simple Certificate Enrollment Protocol (SCEP) to obtain the trusted, signed certificates.
XA1400 Series supports digital certificate configuration through VOSS. VOSS supports both offline and online certificate management; they are mutually exclusive. Use offline certificate management if the switches cannot communicate with the certificate authority (CA).
Digital certificate support for IPsec authentication provides an alternate method to validate the CA certificate chain. You can configure the IPsec authentication type as RSA signature instead of pre-shared key.
VOSS supports only one CA server and one subject certificate.
To use IPsec with Digital Certificates for XA1400 Series:
Configure the Fabric Extend tunnels.
Configure the authentication method as RSA-signature. For more information, see Configure Public Key Infrastructure for IPsec Tunnels.
Configure certificate information in VOSS.
For information about certificate configuration, see Security.
VSP 4900 Series and VSP 7400 Series support digital certificate configuration through the Fabric IPsec Gateway virtual machine. Fabric IPsec Gateway supports both offline and online certificate management simultaneously. Use offline certificate management if the switches cannot communicate with the CA.
Fabric IPsec Gateway supports multiple CA trustpoints and multiple identity subject certificates. You can use different certificates for different IPsec tunnels. Fabric IPsec Gateway acts like a hub to isolate IPsec domains.
To use IPsec with Digital Certificates for VSP 4900 Series and VSP 7400 Series:
Configure the Fabric Extend tunnels.
Configure the authentication method as RSA-signature. For more information, see Configure Public Key Infrastructure for IPsec Tunnels.
Configure certificate information in Fabric IPsec Gateway.
For information about certificate configuration, see Extreme Integrated Application Hosting for Fabric IPsec Gateway virtual machine configuration.