Ipsec For Ipv6 Routing Protocols; Ipsec Rri; Protocols And Standards - HP A6600 Configuration Manual
Hide thumbs
Also See for A6600:
- Configuration manual (426 pages) ,
- Getting started (222 pages) ,
- Limited warranty (41 pages)
Table of Contents
Advertisement
The IPsec tunnel interface de-encapsulates the packet and then delivers the resulting clear text
7.
packet back to the forwarding module.
The forwarding module looks up the routing table and then forwards the clear text packet out of the
8.
physical outbound interface associated with the tunnel interface.
IPsec for IPv6 routing protocols
use IPsec to protect routing information and defend attacks for these IPv6 routing protocols: OSPFv3,
IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol
packets and de-encapsulate inbound protocol packets with the AH or ESP protocol. If an inbound
protocol packet is not IPsec protected, or fails to be de-encapsulated. For example, due to decryption or
authentication failure, the routing protocol discards that packet.
You must manually configure SA parameters in an IPsec policy for IPv6 routing protocols. The IKE key
exchange mechanism applies only to one-to-one communications. IPsec cannot implement automatic key
exchange for one-to-many communications on a broadcast network, where routers must use the same SA
parameters (SPI and key) to process packets for a routing protocol.
IPsec RRI
IPsec RRI enables an IPsec tunnel gateway to automatically add static routes destined for protected
private networks or peer IPsec tunnel gateways to a routing table. In an MPLS L3VPN network, IPsec RRI
can add static routes to VPN instances' routing tables.
IPsec RRI applies to gateways (for example, a headquarters gateway that must provide many IPsec
tunnels). It frees you from the tedious work of manually configuring and maintaining static routes for
IPsec tunnels. For example, if you enable RRI on Device A in
create a static route to branch network 192.168.2.0/24 for the IPsec protected traffic from the
headquarters to the branch. You do not have to manually add the route by configuring ip route-static
192.168.2.0 255.255.255.0 2.2.2.2.
Figure 93 An IPsec VPN
advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new
routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful failover
environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local
gateway.
Protocols and standards
Protocols and standards relevant to IPsec are as follows:
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
Figure
247
93, Device A can automatically
Advertisement
Table of Contents
Troubleshooting
