Configuration guidelines ···································································································································· 192

Configuring automatic certificate request ········································································································· 192

Manually requesting a certificate ······················································································································ 193

Aborting a certificate request ····································································································································· 194

Obtaining certificates ·················································································································································· 194

Configuration prerequisites ································································································································ 194

Configuration procedure ···································································································································· 195

Verifying PKI certificates ·············································································································································· 195

Verifying certificates with CRL checking ··········································································································· 195

Verifying certificates without CRL checking ······································································································ 196

Specifying the storage path for the certificates and CRLs ······················································································· 196

Exporting certificates ··················································································································································· 197

Removing a certificate ················································································································································· 197

Configuring a certificate access control policy ········································································································· 198

Displaying and maintaining PKI ································································································································· 199

PKI configuration examples ········································································································································· 199

Requesting a certificate from an RSA Keon CA server ···················································································· 200

Requesting a certificate from a Windows Server 2003 CA server ······························································· 202

Requesting a certificate from an OpenCA server ···························································································· 206

Certificate import and export configuration example ····················································································· 209

Troubleshooting PKI configuration ······························································································································ 214

Failed to obtain the CA certificate ····················································································································· 214

Failed to obtain local certificates ······················································································································· 215

Failed to request local certificates ····················································································································· 216

Failed to obtain CRLs ·········································································································································· 216

Failed to import the CA certificate ····················································································································· 217

Failed to import a local certificate ····················································································································· 217

Failed to export certificates ································································································································ 218

Failed to set the storage path ····························································································································· 218

Configuring IPsec ···················································································································································· 220

Overview ······································································································································································· 220

Security protocols and encapsulation modes ··································································································· 221

Security association ············································································································································· 222

Authentication and encryption ··························································································································· 223

IPsec implementation ··········································································································································· 223

Protocols and standards ····································································································································· 224

IPsec tunnel establishment ··········································································································································· 224

Implementing ACL-based IPsec ··································································································································· 225

Feature restrictions and guidelines ···················································································································· 225

ACL-based IPsec configuration task list ············································································································· 225

Configuring an ACL ············································································································································ 226

Configuring an IPsec transform set ···················································································································· 227

Configuring a manual IPsec policy···················································································································· 228

Configuring an IKE-based IPsec policy ············································································································· 230

Applying an IPsec policy to an interface ·········································································································· 234

Enabling ACL checking for de-encapsulated packets ······················································································ 234

Configuring the IPsec anti-replay function ········································································································ 235

Binding a source interface to an IPsec policy ·································································································· 236

Enabling QoS pre-classify ·································································································································· 236

Enabling logging of IPsec packets ····················································································································· 237

Configuring the DF bit of IPsec packets ············································································································ 237

Configuring IPsec for IPv6 routing protocols ············································································································· 238

Configuration task list ········································································································································· 238