Implementing IPSec Network Security on Cisco IOS XR Software
How to Implement General IPSec Configurations for IPSec Networks
SC-104
Cisco IOS XR System Security Configuration Guide
VRF-aware IPSec
Each IPSec tunnel is associated with two VRF domains. The outer encapsulated domain belongs to one
VRF domain, which is called the front door VRF (FVRF), while the inner, protected IP packet belongs
to another domain called inside VRF (IVRF). Therefore, the local endpoint of the IPSec tunnel belongs
to the FVRF, while the source and destination addresses of the inside packet belong to the IVRF.
Clear IP traffic is forwarded from an internal VRF to a remote site or host within the VRF over IPSec
tunnels. The IVRF is determined on the SVI by using the vrf command. The encrypted packets going
over the IPSec tunnel are forwarded over the FVRF, which is configured on the SVI by using the tunnel
vrf command. The tunnel source and destination are addresses of the FVRF. The encapsulated packets
and the ACLs, which are configured in the IPSec profile, are all part of the IVRF.
MPLS Encapsulated Packets on Inbound Direction
The Multiprotocol Label Switching (MPLS) distribution protocol is a high-performance
packet-forwarding technology that integrates the performance and traffic management capabilities of
data link switching with the scalability, flexibility, and performance of network-layer routing.
The IPSec packet arrives from the Internet and is destined for the provider edge (PE) 2, which is also
called the IPSec terminator. If the packet arrives at a PE1 outside of a VRF (for example, in the global
table), the ingress PE1 pushes a label switched path (LSP) label onto the IPSec packet. The LSP packet
is used to tunnel the IPSec packet to the egress PE, which is the IPSec terminator.
How to Implement General IPSec Configurations for IPSec
Networks
This section contains the following procedures:
• Setting Global Lifetimes for IPSec Security Associations, page SC-105 (optional)
• Creating Crypto Access Lists, page SC-106 (required)
• Defining Transform Sets, page SC-108 (required)
• Configuring Crypto Profiles, page SC-109 (required)
• Applying Crypto Profiles to tunnel-ipsec Interfaces, page SC-130 (required)
• Applying Crypto Profiles to Crypto Transport, page SC-131 (required)
• Configuring the DF Bit for the Encapsulating Header in IPSec Tunnels, page SC-114
• Configuring the IPSec Antireplay Window: Expanding and Disabling, page SC-115
• Configuring IPSec NAT Transparency, page SC-118
• Configuring IPSec Security Association Idle Timers, page SC-120
• Disabling Prefragmentation for Cisco IPSec VPN SPAs, page SC-124
• Configuring Reverse-Route Injection in a Crypto Profile, page SC-127
• Configuring IPSec Failure History Table Size, page SC-128
To Next Page
Loading...
Need help?
General
