#IPSec with PKI

Hello all! I’m about to set up an IPSec tunnel between two clusters that will be mutually backing up each other’s data via SnapMirror. I will be using the PKI option rather than a PSK for mutual authentication. Regarding the certificate types and installing them on the clusters, I have two questions.

1. Do the certificates need any specific Key Usage/EKU values for IPSec or will just the defaults work when creating my CSR’s?

2. When installing the certificates, which certificates fall under which cert-type? The documentation is a little difficult to understand – for each cluster, am I installing its respective certificate as a “server” or “client” certificate type? What type do I use for the cluster’s intermediate and root CA certs? What about for their IPSec partner (the other NetApp), I understand you need to have the partner’s trust chain installed as well.

I can’t answer the question yet but offer this guidance which may help

On each cluster create a dedicated ipspace with a dedicated vlan for the replication.
Then you only need to worry about messing around with the certificates in the ipspace-svm.

I also cannot readily answer your questions (other than guide you to the docs on the topic), but if all you need is encrypted SnapMirror, there are easier ways to do that, namely Cluster Peer encryption which mike make your life easier

Yeah unfortunately the CPE option is only using a pre shared key 😕

What's wrong with using PSK for cluster peer encryption?

Simply use another channel to communicate it to the owner of the other cluster.

I’m confused with what you’re saying, I would like to leverage the digital certificates of IPSec tunnels for my SnapMirror replication traffic

I meant that you can "natively" encrypt the cluster peer traffic, there is no need to tunnel it in IPsec. Using cluster peer encryption will also be more performant compared to IPsec (at least if you don't have any newer models with offloading cards).

https://kb.netapp.com/on-prem/ontap/DP/SnapMirror/SnapMirror-KBs/Intermittent_cpeer_unavailable_alerts_after_enabling_IPsec_encryption

Cluster peering encryption is also using TLS 1.3 since 9.15.1 which should be secure enough.