Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Implementing IPSec Network Security on Cisco IOS XR Software

Restrictions for Implementing IPSec Network Security

SC-93

Cisco IOS XR System Security Configuration Guide

Restrictions for Implementing IPSec Network Security

If you use Network Address Translation (NAT), you should configure static NAT translations so that

IPSec will work properly. In general, NAT translation should occur before the router performs IPSec

encapsulation; in other words, IPSec should be working with global addresses.

Note You should be using static crypto profiles.

Restrictions for Implementing IPSec Network with a

Cisco IPSec VPN SPA

The following restrictions are known to implement IPSec network with a Cisco XR 12000 Series Router

IPSec VPN SPA:

• Clear GRE is not supported. Only secure generic routing encapsulation (GRE) is supported by the

Cisco XR 12000 Series Router IPSec VPN SPA. To configure the Cisco XR 12000 Series Router

IPSec VPN SPA, you can use either service-ipsec or service-gre interfaces.

• Dynamic virtual interfaces are not supported.

• Dynamic Multipoint VPN (DMVPN) is not supported.

• Multicast is supported on interfaces in global VRF.

The following restrictions are known when implementing IPSec with the Cisco XR 12000 Series Router

IPSec VPN SPA for Internet Security Association Key Management Protocol (ISAKMP) and IPSec

profile configurations:

• One IPSec profile is configured on a virtual interface (for example, service ipsec or service-gre). A

profile has one or more access control lists (ACLs). Each ACL has one or more access control entry

(ACE). ACLs and ACEs cannot intersect.

• With both tunnel source and tunnel destination defined, a dynamic profile configuration on a virtual

interface is rejected.

• Multiple virtual interfaces are attached to ISAKMP profiles; however, a virtual interface is

referenced from a single ISAKMP profile only. The constraint is required to uniquely identify the

virtual interface, ISAKMP profile, and IPSec profile as an IKE initiator and IKE responder.

The following restrictions are known to implement Cisco XR 12000 Series Router IPSec VPN SPA for

the tunnel source address:

• Virtual interfaces that use the same tunnel source and FVRF are configured on the same

Cisco XR 12000 Series Router IPSec VPN SPA.

• When NAT traversal is active for two tunnels that share the same source and destination address and

FVRF under two different virtual interfaces, IP packets that require fragmentation are dropped.

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.