Configure IP security (IPsec) over wire encryption


Beginning with ONTAP 9.8, ONTAP uses the IPsec protocol in transport mode to ensure data is continuously secure and encrypted, even while in transit. IPsec offers data encryption for all IP traffic including the NFS, iSCSI, and SMB protocols. IPsec provides the only encryption in flight option for iSCSI traffic.

Beginning with ONTAP 9.10.1, you can use either pre-shared keys (PSKs) or certificates for authentication with IPsec. Previously, only PSKs were supported with IPsec.

After IPsec is configured, network traffic between the client and ONTAP is protected with preventive measures to combat replay and man-in-the-middle (MITM) attacks.

For NetApp SnapMirror and cluster peering traffic encryption, cluster peering encryption (CPE), transport layer security (TLS) is still recommended over IPsec for secure in-transit over the wire. This is because TLS has better performance than IPsec.

While IPsec capability is enabled on the cluster, the network requires a Security Policy Database (SPD) entry to match the to-be-protected traffic and to specify protection details (such as cipher suite and authentication method) before traffic can flow. A corresponding SPD entry is also needed on each client. The SPD requirement is needed for both PSK and certification authentication methods.

Enable IPsec on the cluster

You can enable IPsec on the cluster to ensure data is continuously secure and encrypted, even while in transit.

  1. Discover if IPsec is enabled already:

    security ipsec config show

    If the result includes IPsec Enabled: false, proceed to the next step.

  2. Enable IPsec:

    security ipsec config modify -is-enabled true

  3. Run the discovery command again:

    security ipsec config show

    The result now includes IPsec Enabled: true.

Preparing for IPsec policy creation with certificate authentication

You can skip this step if you are only using pre-shared keys PSKs for authentication and will not use certificate authentication.

Before creating an IPsec policy that uses certificates for authentication you must ensure that the following pre-requisites are met:

  • Both ONTAP and the client must have the other party’s CA certificate installed so that the end entity (either ONTAP or the client) certificates are verifiable by both sides

  • A certificate is installed for the ONTAP LIF that participates in the policy

Note ONTAP LIFs can share certificates. A one-to-one mapping between certificates and LIFs is not required.
  1. You must install all CA certificates used during the mutual authentication, including both ONTAP-side and client-side CAs, to ONTAP certificate management unless it is already installed (as is the case of an ONTAP self-signed root-CA).
    Sample command
    cluster::> security certificate install -vserver svm_name -type server-ca -cert-name my_ca_cert

  2. To ensure that the CA installed is within the IPsec CA searching path during authentication, add the ONTAP certificate management CAs to the IPsec module using the “security ipsec ca-certificate add” command.
    Sample command
    cluster::> security ipsec ca-certificate add -vserver svm_name -ca-certs my_ca_cert

  3. Create and install a certificate for use by the ONTAP LIF. The issuer CA of this certificate must already be installed to ONTAP and added to IPsec.
    Sample command
    cluster::> security certificate install -vserver svm_name -type server -cert-name my_nfs_server_cert

For more information about certificates in ONTAP, see the security certificate commands in the ONTAP 9 documentation.

Define the security policy database (SPD)

IPsec requires an SPD entry before allowing traffic to flow on the network. This is true whether you are using a PSK or a certificate for authentication.

  1. Use the security ipsec policy create command to:

    1. Select the ONTAP IP address or subnet of IP addresses to participate in the IPsec transport.

    2. Select the client IP addresses that will connect to the ONTAP IP addresses.

      Note The client must support Internet Key Exchange version 2 (IKEv2) with a pre-shared key (PSK).
    3. Optional. Select the upper layer protocols (UDP, TCP, ICMP, etc. ), the local port numbers, and the remote port numbers to protect. The corresponding parameters are protocols, local-ports and remote-ports respectively.

      Skip this step to protect all traffic between the ONTAP IP address and client IP address. Protecting all traffic is the default.

    4. Either enter PSK or PKI for the auth-method parameter for the desired authentication method.

      1. If you enter a PSK, after finishing all other optional parameters, hit <enter> for the prompt to enter and verify the pre-shared key.

      2. If you enter a PKI, you need to also enter the cert-name, local-identity, remote-identity parameters. If the remote side certificate’s identity is unknown or if multiple client identities are expected, enter the special word ANYTHING.

Sample command for PSK authentications
security ipsec policy create -vserver <vs1> -name <test34> -local-ip-subnets <> -remote-ip-subnets <>
Enter the preshared key for IPsec Policy _test34_ on Vserver _vs1_:
Sample command for certificate authentications
security ipsec policy create -vserver vs1 -name test34 -local-ip-subnets -remote-ip-subnets -local-ports 2049 -protocols tcp -auth-method PKI -cert-name my_nfs_server_cert -local-identity CN=netapp.ipsec.lif1.vs0 -remote-identity ANYTHING

IP traffic cannot flow between the client and server until both ONTAP and the client have setup the matching IPsec policies, and authentication credentials (either PSK or certificate) are in place on both sides. For details, see the client side’s IPsec configuration.

Use IPsec identities

For the pre-shared key authentication method, identities are optional unless required by an IPsec client (such as Libreswan). For the PKI/certificate authentication method, both local and remote identities are mandatory. The identities specify what identity is certified within each side’s certificate and are used in the verification process. If the remote-identity is unknown or if it could be many different identities, use the special identity ANYTHING.

About this task

Within ONTAP, identities are specified by modifying the SPD entry or during SPD policy creation. The SPD can be an IP address or string format identity name.


To modify an existing SPD’s identity settings, use the following command:

security ipsec policy modify

Sample command

security ipsec policy modify -vserver vs1 -name test34 -local-identity -remote-identity

IPsec multiple client configuration

When a small number of clients need to leverage IPsec, using a single SPD entry for each client is sufficient. However, when hundreds or even thousands of clients need to leverage IPsec, NetApp recommends using an IPsec multiple client configuration.

About this task

ONTAP supports connecting multiple clients across many networks to a single SVM IP address with IPsec enabled. You can accomplish this using one of the following methods:

  • Subnet configuration

    To allow all clients on a particular subnet ( for example) to connect to a single SVM IP address using a single SPD policy entry, you must specify the remote-ip-subnets in subnet form. Additionally, you must specify the remote-identity field with the correct client side identity.

Note When using a single policy entry in a subnet configuration, IPsec clients in that subnet share the IPsec identity and pre-shared key (PSK). However, this is not true with certificate authentication. When using certificates each client can use either their own unique certificate or a shared certificate to authenticate. ONTAP IPsec checks the validity of the certificate based on the CAs installed on its local trust store. ONTAP also supports certificate revocation list (CRL) checking.
  • Allow all clients configuration

    To allow any client, regardless of their source IP address, to connect to the SVM IPsec-enabled IP address, use the wild card when specifying the remote-ip-subnets field.

    Additionally, you must specify the remote-identity field with the correct client side identity. For certificate authentication, you can enter ANYTHING.

    Also, when the wild card is used, you must configure a specific local or remote port number to use. For example, NFS port 2049.

    1. Use one of the following commands to configure IPsec for multiple clients:

      1. If you are using a subnet configuration to support multiple IPsec clients:

        security ipsec policy create -vserver vserver_name -name policy_name -local-ip-subnets IPsec_IP_address/32 -remote-ip-subnets IP_address/subnet -local-identity local_id -remote-identity remote_id

        Sample command

        security ipsec policy create -vserver vs1 -name subnet134 -local-ip-subnets -remote-ip-subnets -local-identity ontap_side_identity -remote-identity client_side_identity

      2. If you are using an allow all clients configuration to support multiple IPsec clients:

        security ipsec policy create -vserver vserver_name -name policy_name -local-ip-subnets IPsec_IP_address/32 -remote-ip-subnets -local-ports port_number -local-identity local_id -remote-identity remote_id

        Sample command

        security ipsec policy create -vserver vs1 -name test35 -local-ip-subnets IPsec_IP_address/32 -remote-ip-subnets -local-ports 2049 -local-identity ontap_side_identity -remote-identity client_side_identity

IPsec statistics

Through negotiation, a security channel called an IKE Security Association (SA) can be established between the ONTAP SVM IP address and the client IP address. IPsec SAs are installed on both endpoints to do the actual data encryption and decryption work.

You can use statistics commands to check the status of both IPsec SAs and IKE SAs.

Sample commands

IKE SA sample command:

security ipsec show-ikesasa -node hosting_node_name_for_svm_ip

IPsec SA sample command and output:

security ipsec show-ipsecsa -node hosting_node_name_for_svm_ip

cluster1::> security ipsec show-ikesa -node cluster1-node1
            Policy Local           Remote
Vserver     Name   Address         Address         Initator-SPI     State
----------- ------ --------------- --------------- ---------------- -----------
vs1         test34
           c764f9ee020cec69 ESTABLISHED

IPsec SA sample command and output:

security ipsec show-ipsecsa -node hosting_node_name_for_svm_ip

cluster1::> security ipsec show-ipsecsa -node cluster1-node1
            Policy  Local           Remote          Inbound  Outbound
Vserver     Name    Address         Address         SPI      SPI      State
----------- ------- --------------- --------------- -------- -------- ---------
vs1         test34
            c4c5b3d6 c2515559 INSTALLED