IPsec implementation ··········································································································································· 243

Protocols and standards ····································································································································· 244

FIPS compliance ··························································································································································· 244

IPsec tunnel establishment ··········································································································································· 244

Implementing ACL-based IPsec ··································································································································· 244

Feature restrictions and guidelines ···················································································································· 244

ACL-based IPsec configuration task list ············································································································· 245

Configuring an ACL ············································································································································ 245

Configuring an IPsec transform set ···················································································································· 246

Configuring a manual IPsec policy···················································································································· 248

Configuring an IKE-based IPsec policy ············································································································· 250

Applying an IPsec policy to an interface ·········································································································· 253

Enabling ACL checking for de-encapsulated packets ······················································································ 254

Configuring the IPsec anti-replay function ········································································································ 254

Binding a source interface to an IPsec policy ·································································································· 255

Enabling QoS pre-classify ·································································································································· 256

Enabling logging of IPsec packets ····················································································································· 256

Configuring the DF bit of IPsec packets ············································································································ 256

Displaying and maintaining IPsec ······························································································································ 257

IPsec configuration examples······································································································································ 258

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 258

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 261

Configuring IKE ······················································································································································· 264

Overview ······································································································································································· 264

IKE negotiation process ······································································································································ 264

IKE security mechanism ······································································································································· 265

IKE configuration prerequisites ··································································································································· 266

IKE configuration task list ············································································································································ 266

Configuring an IKE profile ·········································································································································· 267

Configuring an IKE proposal ······································································································································ 269

Configuring an IKE keychain ······································································································································ 270

Configuring the global identity information ·············································································································· 271

Configuring the IKE keepalive function ······················································································································ 272

Configuring the IKE NAT keepalive function ············································································································ 272

Configuring IKE DPD···················································································································································· 273

Enabling invalid SPI recovery ····································································································································· 273

Setting the maximum number of IKE SAs ··················································································································· 274

Displaying and maintaining IKE ································································································································· 274

Main mode IKE with pre-shared key authentication configuration example ························································· 275

Network requirements ········································································································································· 275

Configuration procedure ···································································································································· 275

Verifying the configuration ································································································································· 277

Troubleshooting IKE ····················································································································································· 278

IKE negotiation failed because no matching IKE proposals were found ······················································· 278

IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly····················· 278

IPsec SA negotiation failed because no matching IPsec transform sets were found ···································· 279

IPsec SA negotiation failed due to invalid identity information ······································································ 279

vii