Configure Public Key Infrastructure for IPsec Tunnels

Note

This procedure only applies to VSP 4900 Series, VSP 7400 Series, and XA1400 Series.

Before you begin

Configure the Fabric Extend tunnels between the branch and hub switches.
Configure digital certificates on the switch using either VOSS or the Fabric IPsec Gateway virtual machine, as appropriate.

About this task

XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec authentication and encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using Fabric IPsec Gateway. You can use a digital certificate to authenticate IPsec for Fabric Extend.

The default IPsec authentication method for Fabric Extend tunnels is a pre-shared key. If you configure the authentication method to RSA signature, the tunnels use the installed digital certificate.

Procedure

On XA1400 Series, configure IPsec authentication in the VOSS CLI:
1. Enter Layer 3 Logical IS-IS Interface Configuration mode:
  
  enable
  
  configure terminal
  
  logical-intf isis <1–255>
2. Configure the authentication type as RSA signature:
  
  ipsec auth-method rsa-sig [cert-subject-name WORD<1-45>]
On VSP 4900 Series and VSP 7400 Series, configure IPsec authentication in the Fabric IPsec Gateway virtual machine:
1. Enter Fabric IPsec Gateway Configuration mode:
  
  enable
  
  virtual-service WORD<1-128> console
  
  Note
  
  Type CTRL+Y to exit the console.
2. Configure the authentication type as RSA signature:
  
  set ipsec <1-255> auth-method rsasig

Variable Definitions

The following table defines parameters for the set ipsec command.


Variable	Value
<1-255>	Specifies the tunnel ID.
<subject-label>	Specifies the subject identity.
cert-subject-name`WORD<1-45>`	Specifies the digital certificate subject name to be used as the identity certificate. If a subject name is not specified, the default certificate subject name is Global.