vii
IPsec tunnel establishment ···························································································································· 303
Implementing ACL-based IPsec ···················································································································· 303
Configuring an ACL ································································································································ 304
Configuring an IPsec transform set ········································································································ 305
Configuring a manual IPsec policy ········································································································· 307
Configuring an IKE-based IPsec policy ·································································································· 308
Applying an IPsec policy to an interface ································································································ 312
Enabling ACL checking for de-encapsulated packets ············································································ 312
Configuring IPsec anti-replay ················································································································· 313
Configuring IPsec anti-replay redundancy ····························································································· 313
Binding a source interface to an IPsec policy ························································································ 314
Enabling QoS pre-classify ······················································································································ 315
Enabling logging of IPsec packets ········································································································· 315
Configuring the DF bit of IPsec packets ································································································· 315
Configuring IPsec for IPv6 routing protocols ·································································································· 316
Configuration task list ····························································································································· 316
Configuring a manual IPsec profile ········································································································ 317
Configuring SNMP notifications for IPsec ······································································································ 318
Configuring IPsec fragmentation ···················································································································· 318
Setting the maximum number of IPsec tunnels ····························································································· 319
Displaying and maintaining IPsec ·················································································································· 319
IPsec configuration examples ························································································································ 320
Configuring a manual mode IPsec tunnel for IPv4 packets ··································································· 320
Configuring IPsec for RIPng ··················································································································· 322
Configuring IKE ··························································································· 326
Overview ························································································································································ 326
IKE negotiation process ························································································································· 326
IKE security mechanism ························································································································· 327
Protocols and standards ························································································································ 328
FIPS compliance ············································································································································ 328
IKE configuration prerequisites ······················································································································ 328
IKE configuration task list ······························································································································· 328
Configuring an IKE profile ······························································································································ 329
Configuring an IKE proposal ·························································································································· 331
Configuring an IKE keychain ·························································································································· 332
Configuring the global identity information ····································································································· 333
Configuring the IKE keepalive feature ··········································································································· 333
Configuring the IKE NAT keepalive feature ··································································································· 334
Configuring IKE DPD ····································································································································· 334
Enabling invalid SPI recovery ························································································································ 335
Setting the maximum number of IKE SAs ······································································································ 335
Configuring SNMP notifications for IKE ········································································································· 336
Displaying and maintaining IKE ····················································································································· 336
IKE configuration examples ··························································································································· 337
Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································ 337
Main mode IKE with pre-shared key authentication configuration example ··········································· 339
Troubleshooting IKE ······································································································································ 342
IKE negotiation failed because no matching IKE proposals were found ················································ 342
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 343
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 343
IPsec SA negotiation failed due to invalid identity information ······························································· 344
Configuring IKEv2 ······················································································· 347
Overview ························································································································································ 347
IKEv2 negotiation process ····················································································································· 347
New features in IKEv2 ···························································································································· 348
Protocols and standards ························································································································ 348
IKEv2 configuration task list ··························································································································· 348
Configuring an IKEv2 profile ·························································································································· 349
Configuring an IKEv2 policy ··························································································································· 352
Configuring an IKEv2 proposal ······················································································································ 352
To Next Page
Loading...
