263
• Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL
rule is protected by one IPsec tunnel that is established solely for it.
• Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an
ACL. This mode is only used to communicate with old-version devices.
• Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data
flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it.
This mode consumes more system resources when multiple data flows exist between two
subnets to be protected.
Application-based IPsec
This IPsec implementation method does not require any ACL. All packets of the application bound to
an IPsec policy are encapsulated with IPsec, and all packets of the applications that are not bound
with IPsec and the IPsec packets that failed to be de-encapsulated are dropped.
You can use IPsec to protect an IPv6 routing protocol by using this method. The supported IPv6
routing protocols include OSPFv3, IPv6 BGP, and RIPng.
In one-to-many communication scenarios, you must configure the IPsec SAs for an IPv6 routing
protocol in manual mode because of the following reasons:
• The automatic key exchange mechanism is only used to protect communications between two
points. In one-to-many communication scenarios, automatic key exchange cannot be
implemented.
• One-to-many communication scenarios require that all the devices use the same SA
parameters (SPI and key) to receive and send packets. IKE negotiated SAs cannot meet this
requirement.
Protocols and standards
• RFC 2401, Security Architecture for the Internet Protocol
• RFC 2402, IP Authentication Header
• RFC 2406, IP Encapsulating Security Payload
• RFC 4552, Authentication/Confidentiality for OSPFv3
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and
non-FIPS mode.
IPsec tunnel establishment
IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec
tunnels according to your network conditions:
• ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based
IPsec tunnel, configure an IPsec policy, specify an ACL in the policy, and apply the policy to an
interface (see "
Implementing ACL-based IPsec"). The IPsec tunnel establishment steps are the
same in an IPv4 network and in an IPv6 network.
• Application-based IPsec tunnel—Protects the packets of an application. This method can be
used to protect IPv6 routing protocols. It does not require any ACL. To establish
application-based IPsec tunnels, configure manual IPsec profiles and bind the profiles to an
IPv6 routing protocol. For more information about IPv6 routing protocols, see "
Configuring
IPsec for IPv6 routing protocols."
To Next Page
Loading...
Need help?
General