To do...
5.
Specify the IP packet
encapsulation mode for the IPsec
proposal.
NOTE:
Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
•
existing SAs, execute reset ipsec sa to clear the SAs so that they can be set up using the updated
parameters.
When a security protocol is selected, configure security algorithms for it. For example, specify the
•
ESP-specific security algorithms only when you select ESP as the security protocol. ESP supports three
IP packet protection schemes: encryption only, authentication only, or both encryption and
authentication.
configure up to 10,000 IPsec proposals.
•
Configuring an IPsec policy
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:
Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
•
IP addresses of the two ends in tunnel mode.
IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.
•
Configuring a manual IPsec policy
Configuration guidelines
1.
To ensure successful SA negotiations, follow these guidelines when configuring manual IPsec policies at
the two ends of an IPsec tunnel:
The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,
•
security algorithms, and encapsulation mode.
The remote IP address configured on the local end must be the same as the IP address of the remote
•
end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
•
that different SAs use different SPIs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
•
of the local outbound SA and remote inbound SA.
The keys for the local and remote inbound and outbound SAs must be in the same format. For
•
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Follow these guidelines when configuring an IPsec policy for an IPv6 routing protocol:
Command...
encapsulation-mode {
transport | tunnel }
253
Remarks
Optional.
Tunnel mode by default.
Transport mode applies only when
the source and destination IP
addresses of data flows match those
of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.