Configure Public Key Infrastructure for IPsec Tunnels

Note

Note

This procedure only applies to VSP 4900 Series, VSP 7400 Series, and XA1400 Series.

Before you begin

  • Configure the Fabric Extend tunnels between the branch and hub switches.

  • Configure digital certificates on the switch using either VOSS or the Fabric IPsec Gateway virtual machine, as appropriate.

About this task

XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec authentication and encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using Fabric IPsec Gateway. You can use a digital certificate to authenticate IPsec for Fabric Extend.

The default IPsec authentication method for Fabric Extend tunnels is a pre-shared key. If you configure the authentication method to RSA signature, the tunnels use the installed digital certificate.

Procedure

  1. On XA1400 Series, configure IPsec authentication in the VOSS CLI:
    1. Enter Layer 3 Logical IS-IS Interface Configuration mode:

      enable

      configure terminal

      logical-intf isis <1–255>

    2. Configure the authentication type as RSA signature:

      ipsec auth-method rsa-sig [cert-subject-name WORD<1-45>]

  2. On VSP 4900 Series and VSP 7400 Series, configure IPsec authentication in the Fabric IPsec Gateway virtual machine:
    1. Enter Fabric IPsec Gateway Configuration mode:

      enable

      virtual-service WORD<1-128> console

      Note

      Note

      Type CTRL+Y to exit the console.

    2. Configure the authentication type as RSA signature:

      set ipsec <1-255> auth-method rsasig

Variable Definitions

The following table defines parameters for the set ipsec command.

Variable

Value

<1-255>

Specifies the tunnel ID.

<subject-label>

Specifies the subject identity.

cert-subject-nameWORD<1-45>

Specifies the digital certificate subject name to be used as the identity certificate. If a subject name is not specified, the default certificate subject name is Global.