Cisco IOS XR Configuration Manual page 116

System security configuration guide

Hide thumbs Also See for IOS XR:

Getting started manual (222 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

page of 254

/ 254
Contents
Table of Contents
Bookmarks

Table of Contents

How to Implement General IPSec Configurations for IPSec Networks

VRF-aware IPSec

Each IPSec tunnel is associated with two VRF domains. The outer encapsulated domain belongs to one

VRF domain, which is called the front door VRF (FVRF), while the inner, protected IP packet belongs

to another domain called inside VRF (IVRF). Therefore, the local endpoint of the IPSec tunnel belongs

to the FVRF, while the source and destination addresses of the inside packet belong to the IVRF.

Clear IP traffic is forwarded from an internal VRF to a remote site or host within the VRF over IPSec

tunnels. The IVRF is determined on the SVI by using the vrf command. The encrypted packets going

over the IPSec tunnel are forwarded over the FVRF, which is configured on the SVI by using the tunnel

vrf command. The tunnel source and destination are addresses of the FVRF. The encapsulated packets

and the ACLs, which are configured in the IPSec profile, are all part of the IVRF.

MPLS Encapsulated Packets on Inbound Direction

The Multiprotocol Label Switching (MPLS) distribution protocol is a high-performance

packet-forwarding technology that integrates the performance and traffic management capabilities of

data link switching with the scalability, flexibility, and performance of network-layer routing.

The IPSec packet arrives from the Internet and is destined for the provider edge (PE) 2, which is also

called the IPSec terminator. If the packet arrives at a PE1 outside of a VRF (for example, in the global

table), the ingress PE1 pushes a label switched path (LSP) label onto the IPSec packet. The LSP packet

is used to tunnel the IPSec packet to the egress PE, which is the IPSec terminator.

How to Implement General IPSec Configurations for IPSec

Networks

This section contains the following procedures:

•

Cisco IOS XR System Security Configuration Guide

SC-104

Setting Global Lifetimes for IPSec Security Associations, page SC-105

Creating Crypto Access Lists, page SC-106

Defining Transform Sets, page SC-108

Configuring Crypto Profiles, page SC-109

Applying Crypto Profiles to tunnel-ipsec Interfaces, page SC-130

Applying Crypto Profiles to Crypto Transport, page SC-131

Configuring the DF Bit for the Encapsulating Header in IPSec Tunnels, page SC-114

Configuring the IPSec Antireplay Window: Expanding and Disabling, page SC-115

Configuring IPSec NAT Transparency, page SC-118

Configuring IPSec Security Association Idle Timers, page SC-120

Disabling Prefragmentation for Cisco IPSec VPN SPAs, page SC-124

Configuring Reverse-Route Injection in a Crypto Profile, page SC-127

Configuring IPSec Failure History Table Size, page SC-128

Implementing IPSec Network Security on Cisco IOS XR Software

(required)

(optional)

(required)

Table of Contents

Show Quick Links

Quick Links:
Prerequisites for Configuring Aaa Services

Hide quick links:

Chapters

Table of Contents

This manual is also suitable for:

Ios xr 3.5

Cisco IOS XR Configuration Manual page 116

Hide quick links:

Chapters

Related Manuals for Cisco IOS XR

Related Products for Cisco IOS XR

This manual is also suitable for:

Table of Contents