Configure IP security in ONTAP
Suggest changes
PDFs
There are several tasks you need to perform to configure and activate IPsec in-flight encryption on your ONTAP cluster.
|
Make sure to review Prepare to use IP security before configuring IPsec. For example, you might need to decide whether to use the IPsec hardware offload feature available beginning with ONTAP 9.16.1. |
Enable IPsec on the cluster
You can enable IPsec on the cluster to ensure data is continuously encrypted and secure while in transit.
-
Discover if IPsec is enabled already:
security ipsec config showIf the result includes
IPsec Enabled: false, proceed to the next step. -
Enable IPsec:
security ipsec config modify -is-enabled trueYou can enable the IPsec hardware offload feature using the boolean parameter
is-offload-enabled. -
Run the discovery command again:
security ipsec config showThe result now includes
IPsec Enabled: true.
Prepare for IPsec policy creation with certificate authentication
You can skip this step if you are only using pre-shared keys (PSKs) for authentication and will not use certificate authentication.
Before creating an IPsec policy that uses certificates for authentication, you must verify that the following pre-requisites are met:
-
Both ONTAP and the client must have the other party's CA certificate installed so that the end entity (either ONTAP or the client) certificates are verifiable by both sides
-
A certificate is installed for the ONTAP LIF that participates in the policy
|
|
ONTAP LIFs can share certificates. A one-to-one mapping between certificates and LIFs is not required. |
-
Install all CA certificates used during the mutual authentication, including both ONTAP-side and client-side CAs, to ONTAP certificate management unless it is already installed (as is the case of an ONTAP self-signed root-CA).
Sample command
cluster::> security certificate install -vserver svm_name -type server-ca -cert-name my_ca_cert -
To make sure that the CA installed is within the IPsec CA searching path during authentication, add the ONTAP certificate management CAs to the IPsec module using the
security ipsec ca-certificate addcommand.Sample command
cluster::> security ipsec ca-certificate add -vserver svm_name -ca-certs my_ca_cert -
Create and install a certificate for use by the ONTAP LIF. The issuer CA of this certificate must already be installed to ONTAP and added to IPsec.
Sample command
cluster::> security certificate install -vserver svm_name -type server -cert-name my_nfs_server_cert
For more information about certificates in ONTAP, see the security certificate commands in the ONTAP 9 documentation.
Define the security policy database (SPD)
IPsec requires an SPD entry before allowing traffic to flow on the network. This is true whether you are using a PSK or a certificate for authentication.
-
Use the
security ipsec policy createcommand to:-
Select the ONTAP IP address or subnet of IP addresses to participate in the IPsec transport.
-
Select the client IP addresses that will connect to the ONTAP IP addresses.
The client must support Internet Key Exchange version 2 (IKEv2) with a pre-shared key (PSK). -
Optional. Select the fine-grained traffic parameters, such as the upper layer protocols (UDP, TCP, ICMP, etc. ), the local port numbers, and the remote port numbers to protect traffic. The corresponding parameters are
protocols,local-portsandremote-portsrespectively.Skip this step to protect all traffic between the ONTAP IP address and client IP address. Protecting all traffic is the default.
-
Either enter PSK or public-key infrastructure (PKI) for the
auth-methodparameter for the desired authentication method.-
If you enter a PSK, include the parameters, then press <enter> for the prompt to enter and verify the pre-shared key.
The local-identityandremote-identityparameters are optional if both host and client use strongSwan and no wildcard policy is selected for the host or client. -
If you enter a PKI, you need to also enter the
cert-name,local-identity,remote-identityparameters. If the remote-side certificate identity is unknown or if multiple client identities are expected, enter the special identityANYTHING.
-
-
security ipsec policy create -vserver vs1 -name test34 -local-ip-subnets 192.168.134.34/32 -remote-ip-subnets 192.168.134.44/32 Enter the preshared key for IPsec Policy _test34_ on Vserver _vs1_:
security ipsec policy create -vserver vs1 -name test34 -local-ip-subnets 192.168.134.34/32 -remote-ip-subnets 192.168.134.44/32 -local-ports 2049 -protocols tcp -auth-method PKI -cert-name my_nfs_server_cert -local-identity CN=netapp.ipsec.lif1.vs0 -remote-identity ANYTHING
IP traffic cannot flow between the client and server until both ONTAP and the client have set up the matching IPsec policies, and authentication credentials (either PSK or certificate) are in place on both sides.
Use IPsec identities
For the pre-shared key authentication method, local and remote identities are optional if both host and client use strongSwan and no wildcard policy is selected for the host or client.
For the PKI/certificate authentication method, both local and remote identities are mandatory. The identities specify what identity is certified within each side's certificate and are used in the verification process. If the remote-identity is unknown or if it could be many different identities, use the special identity ANYTHING.
Within ONTAP, identities are specified by modifying the SPD entry or during SPD policy creation. The SPD can be an IP address or string format identity name.
-
Use the following command to modify an existing SPD identity setting:
security ipsec policy modify
security ipsec policy modify -vserver vs1 -name test34 -local-identity 192.168.134.34 -remote-identity client.fooboo.com
IPsec multiple client configuration
When a small number of clients need to leverage IPsec, using a single SPD entry for each client is sufficient. However, when hundreds or even thousands of clients need to leverage IPsec, NetApp recommends using an IPsec multiple client configuration.
ONTAP supports connecting multiple clients across many networks to a single SVM IP address with IPsec enabled. You can accomplish this using one of the following methods:
-
Subnet configuration
To allow all clients on a particular subnet (192.168.134.0/24 for example) to connect to a single SVM IP address using a single SPD policy entry, you must specify the
remote-ip-subnetsin subnet form. Additionally, you must specify theremote-identityfield with the correct client-side identity.
|
|
When using a single policy entry in a subnet configuration, IPsec clients in that subnet share the IPsec identity and pre-shared key (PSK). However, this is not true with certificate authentication. When using certificates each client can use either their own unique certificate or a shared certificate to authenticate. ONTAP IPsec checks the validity of the certificate based on the CAs installed on its local trust store. ONTAP also supports certificate revocation list (CRL) checking. |
-
Allow all clients configuration
To allow any client, regardless of their source IP address, to connect to the SVM IPsec-enabled IP address, use the
0.0.0.0/0wildcard when specifying theremote-ip-subnetsfield.Additionally, you must specify the
remote-identityfield with the correct client-side identity. For certificate authentication, you can enterANYTHING.Also, when the
0.0.0.0/0wildcard is used, you must configure a specific local or remote port number to use. For example,NFS port 2049.Steps-
Use one of the following commands to configure IPsec for multiple clients.
-
If you are using subnet configuration to support multiple IPsec clients:
security ipsec policy create -vserver vserver_name -name policy_name -local-ip-subnets IPsec_IP_address/32 -remote-ip-subnets IP_address/subnet -local-identity local_id -remote-identity remote_idSample commandsecurity ipsec policy create -vserver vs1 -name subnet134 -local-ip-subnets 192.168.134.34/32 -remote-ip-subnets 192.168.134.0/24 -local-identity ontap_side_identity -remote-identity client_side_identity -
If you are using allow all clients configuration to support multiple IPsec clients:
security ipsec policy create -vserver vserver_name -name policy_name -local-ip-subnets IPsec_IP_address/32 -remote-ip-subnets 0.0.0.0/0 -local-ports port_number -local-identity local_id -remote-identity remote_idSample commandsecurity ipsec policy create -vserver vs1 -name test35 -local-ip-subnets IPsec_IP_address/32 -remote-ip-subnets 0.0.0.0/0 -local-ports 2049 -local-identity ontap_side_identity -remote-identity client_side_identity
-
-
Display IPsec statistics
Through negotiation, a security channel called an IKE Security Association (SA) can be established between the ONTAP SVM IP address and the client IP address. IPsec SAs are installed on both endpoints to do the actual data encryption and decryption work. You can use statistics commands to check the status of both IPsec SAs and IKE SAs.
|
|
If you are using the IPsec hardware offload feature, several new counters are displayed with the command security ipsec config show-ipsecsa.
|
IKE SA sample command:
security ipsec show-ikesa -node hosting_node_name_for_svm_ip
IPsec SA sample command and output:
security ipsec show-ipsecsa -node hosting_node_name_for_svm_ip
cluster1::> security ipsec show-ikesa -node cluster1-node1
Policy Local Remote
Vserver Name Address Address Initator-SPI State
----------- ------ --------------- --------------- ---------------- -----------
vs1 test34
192.168.134.34 192.168.134.44 c764f9ee020cec69 ESTABLISHED
IPsec SA sample command and output:
security ipsec show-ipsecsa -node hosting_node_name_for_svm_ip
cluster1::> security ipsec show-ipsecsa -node cluster1-node1
Policy Local Remote Inbound Outbound
Vserver Name Address Address SPI SPI State
----------- ------- --------------- --------------- -------- -------- ---------
vs1 test34
192.168.134.34 192.168.134.44 c4c5b3d6 c2515559 INSTALLED