Failed to request local certificates ····················································································································· 166

Failed to obtain CRLs ·········································································································································· 167

Failed to import the CA certificate ····················································································································· 167

Failed to import a local certificate ····················································································································· 168

Failed to export certificates ································································································································ 168

Failed to set the storage path ····························································································································· 169

Configuring IPsec ···················································································································································· 170

Overview ······································································································································································· 170

Security protocols and encapsulation modes ··································································································· 170

Security association ············································································································································· 172

Authentication and encryption ··························································································································· 172

IPsec implementation ··········································································································································· 173

IPsec RRI································································································································································ 174

Protocols and standards ····································································································································· 175

FIPS compliance ··························································································································································· 175

IPsec tunnel establishment ··········································································································································· 176

Implementing ACL-based IPsec ··································································································································· 176

Configuring an ACL ············································································································································ 177

Configuring an IPsec transform set ···················································································································· 179

Configuring a manual IPsec policy···················································································································· 181

Configuring an IKE-based IPsec policy ············································································································· 183

Applying an IPsec policy to an interface ·········································································································· 187

Enabling ACL checking for de-encapsulated packets ······················································································ 187

Configuring the IPsec anti-replay function ········································································································ 188

Binding a source interface to an IPsec policy ·································································································· 188

Enabling QoS pre-classify ·································································································································· 189

Enabling logging of IPsec packets ····················································································································· 190

Configuring the DF bit of IPsec packets ············································································································ 190

Configuring IPsec RRI ·········································································································································· 191

Configuring IPsec for IPv6 routing protocols ············································································································· 192

Configuration task list ········································································································································· 192

Configuring a manual IPsec profile ··················································································································· 192

Configuring SNMP notifications for IPsec ················································································································· 193

Displaying and maintaining IPsec ······························································································································ 194

IPsec configuration examples······································································································································ 195

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 195

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 198

Configuring an IKE-based IPsec tunnel for IPv6 packets ················································································· 201

Configuring IPsec for RIPng ································································································································ 205

Configuring IKE ······················································································································································· 213

IKE negotiation process ······································································································································ 213

IKE security mechanism ······································································································································· 214

IKE configuration prerequisites ··································································································································· 215

IKE configuration task list ············································································································································ 215

Configuring an IKE profile ·········································································································································· 216

Configuring an IKE proposal ······································································································································ 218

Configuring an IKE keychain ······································································································································ 219

Configuring the global identity information ·············································································································· 220

Configuring the IKE keepalive function ······················································································································ 221