top of page

Tips and Pitfalls: IPSEC and CA

  1. domain-name and hostname must be set prior to certificate generation

  2. If you revoke a certificate you need to zeroize the rsa keypair

  3. OSCP must be used for real time revocation checking

  4. You can define multiple trustpoints

  5. When keys are exported the CA certificate and RSA keypair are exported with it

  6. IPSEC is configured on Gigabit interfaces not Port-Channels or FCIP interfaces

  7. IPSEC with digital certificates requires identity hostname

  8. MS iSCSI Initiator IKE uses 3DES, SHA or MD5 and DH 2

  9. MS iSCSI Initiator IPSec uses 3DES, SHA-1

  10. Cisco iSCSI Initiator IKE uses 3DES, MD5, DH1

  11. Cisco iSCSI IPSec uses 3DES, MD5

  12. If the peer IP address specified in the crypto map entry is a VRRP IP address on a remote Cisco MDS switch, ensure that the IP address is created using the secondary option

Recent Posts

See All

Fibre Channel Credits vs. FCoE's "Pause"

At 1Gbps a FC frame is 4km long, at 2Gbps a frame is 2km long, and at 4Gbps a frame is 1km long. A 10km cable is 20km round trip.  Round trip must be accounted for since the R_RDY packet reply from th


Hi, thanks for stopping by!

I'm a paragraph. Click here to add your own text and edit me. I’m a great place for you to tell a story and let your users know a little more about you.

Let the posts
come to you.

Thanks for submitting!

  • Facebook
  • Instagram
  • Twitter
  • Pinterest
bottom of page