IPsec implementation ··········································································································································· 243
Protocols and standards ····································································································································· 244
FIPS compliance ··························································································································································· 244
IPsec tunnel establishment ··········································································································································· 244
Implementing ACL-based IPsec ··································································································································· 244
Configuring an ACL ············································································································································ 245
Enabling QoS pre-classify ·································································································································· 256
Displaying and maintaining IPsec ······························································································································ 257
IPsec configuration examples······································································································································ 258
Configuring IKE ······················································································································································· 264
Overview ······································································································································································· 264
IKE negotiation process ······································································································································ 264
IKE security mechanism ······································································································································· 265
Protocols and standards ····································································································································· 266
FIPS compliance ··························································································································································· 266
IKE configuration prerequisites ··································································································································· 266
IKE configuration task list ············································································································································ 266
Configuring an IKE profile ·········································································································································· 267
Configuring an IKE proposal ······································································································································ 269
Configuring an IKE keychain ······································································································································ 270
Configuring IKE DPD···················································································································································· 273
Enabling invalid SPI recovery ····································································································································· 273
Displaying and maintaining IKE ································································································································· 274
Network requirements ········································································································································· 275
Configuration procedure ···································································································································· 275
Verifying the configuration ································································································································· 277
Troubleshooting IKE ····················································································································································· 278
vii