SSL protocol stack ··································································································································· 99
FIPS compliance ············································································································································ 100
SSL configuration task list ······························································································································ 100
Displaying and maintaining SSL ···················································································································· 103
Configuring IPsec ························································································ 104
Overview ························································································································································ 104
Security association ······························································································································· 106
Authentication and encryption ················································································································ 106
IPsec implementation ····························································································································· 107
Protocols and standards ························································································································ 107
IPsec tunnel establishment ···························································································································· 108
Implementing ACL-based IPsec ···················································································································· 108
Configuring an ACL ································································································································ 109
Enabling QoS pre-classify ······················································································································ 116
IPsec configuration examples ························································································································ 119
Configuring IKE ··························································································· 125
Overview ························································································································································ 125
IKE negotiation process ························································································································· 125
IKE security mechanism ························································································································· 126
Protocols and standards ························································································································ 127
IKE configuration task list ······························································································································· 127
Configuring an IKE profile ······························································································································ 128
Configuring an IKE proposal ·························································································································· 129
Configuring an IKE keychain ·························································································································· 131
Configuring IKE DPD ····································································································································· 133
Enabling invalid SPI recovery ························································································································ 133
Displaying and maintaining IKE ····················································································································· 135
Network requirements ···························································································································· 135
Configuration procedure ························································································································· 135
Verifying the configuration ······················································································································ 138
Troubleshooting IKE ······································································································································ 138
iii