Exporting certificates ··················································································································································· 111

Removing a certificate ················································································································································· 112

Configuring a certificate access control policy ········································································································· 112

Displaying and maintaining PKI ································································································································· 113

PKI configuration examples ········································································································································· 113

Certificate request from an RSA Keon CA server ···························································································· 114

Certificate request from a Windows 2003 CA server ···················································································· 116

Certificate request from an OpenCA server ····································································································· 120

IKE negotiation with RSA digital signature from a Windows 2003 CA server ············································ 123

Certificate import and export configuration example ····················································································· 125

Troubleshooting PKI configuration ······························································································································ 131

Failed to obtain the CA certificate ····················································································································· 131

Failed to obtain local certificates ······················································································································· 131

Failed to request local certificates ····················································································································· 132

Failed to obtain CRLs ·········································································································································· 133

Failed to import the CA certificate ····················································································································· 133

Failed to import a local certificate ····················································································································· 134

Failed to export certificates ································································································································ 134

Failed to set the storage path ····························································································································· 135

Configuring IPsec ···················································································································································· 136

Overview ······································································································································································· 136

Security protocols and encapsulation modes ··································································································· 137

Security association ············································································································································· 138

Authentication and encryption ··························································································································· 138

IPsec implementation ··········································································································································· 139

IPsec RRI································································································································································ 140

Protocols and standards ····································································································································· 141

IPsec tunnel establishment ··········································································································································· 141

Implementing ACL-based IPsec ··································································································································· 142

Configuring an ACL ············································································································································ 143

Configuring an IPsec transform set ···················································································································· 145

Configuring a manual IPsec policy···················································································································· 147

Configuring an IKE-based IPsec policy ············································································································· 149

Applying an IPsec policy to an interface ·········································································································· 153

Enabling ACL checking for de-encapsulated packets ······················································································ 153

Configuring the IPsec anti-replay function ········································································································ 154

Binding a source interface to an IPsec policy ·································································································· 154

Enabling QoS pre-classify ·································································································································· 155

Enabling logging of IPsec packets ····················································································································· 156

Configuring the DF bit of IPsec packets ············································································································ 156

Configuring IPsec RRI ·········································································································································· 157

Configuring IPsec for IPv6 routing protocols ············································································································· 158

Configuration task list ········································································································································· 158

Configuring a manual IPsec profile ··················································································································· 158

Configuring SNMP notifications for IPsec ················································································································· 160

Displaying and maintaining IPsec ······························································································································ 160

IPsec configuration examples······································································································································ 161

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 161

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 164

Configuring an IKE-based IPsec tunnel for IPv6 packets ················································································· 167

Configuring IPsec for RIPng ································································································································ 171