Implementing IPSec Network Security on Cisco IOS XR Software
Prerequisites for Implementing IPSec Network Security
SC-81
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Prerequisites for Implementing IPSec Network Security
The following prerequisites are required to implement IPSec network security:
• You must be in a user group associated with a task group that includes the proper task IDs for
security commands. The command reference guides include the task IDs required for each
command.
• If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
• You must install and activate the Package Installation Envelope (PIE) for the security software.
For detailed information about optional PIE installation, see Cisco IOS XR System Management
Configuration Guide.
• You must configure Internet Key Exchange (IKE), as described in the Implementing Internet Key
Exchanaqge Security Protocol on Cisco
IOS XR Software module of Cisco IOS XR System Security
Configuration Guide.
Restrictions for Implementing IPSec Network Security
If you use Network Address Translation (NAT), you must configure static NAT translations so that IPSec
works properly. In general, NAT translation should occur before the router performs IPSec
encapsulation; in other words, IPSec should be working with global addresses.
Note Use static crypto profiles only.
Information About Implementing IPSec Networks
To implement IP network security, you should understand the following concepts:
• Crypto Profiles, page 82
• Dynamic Crypto Profiles, page 82
• Static Crypto Profiles, page 83
• Crypto Access Lists, page 83
• Transform Sets, page 83
• Global Lifetimes for IPSec Security Associations, page 84
• Checkpointing, page 85
Note For information about IPSec quality of service (QoS), refer to Cisco IOS XR Modular Quality of Service
Configuration Guide.
To Next Page
Loading...
Need help?
General
