Protocols and standards
Protocols and standards relevant to IPsec are as follows:
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
•
•
RFC 4301, Security Architecture for the Internet Protocol
RFC 4302, IP Authentication Header
•
RFC 4303, IP Encapsulating Security Payload (ESP)
•
FIPS compliance
In Release 1208 and later versions, the device supports the FIPS mode that complies with NIST FIPS 140-2
requirements. For more information about FIPS mode, see
Configuring IPsec
IPsec can be implemented based on only ACLs. ACL-based IPsec uses ACLs to identify the data flows to
be protected. To implement ACL-based IPsec, configure IPsec policies, reference ACLs in the policies, and
apply the policies to physical interfaces. By using ACLs, you can customize IPsec policies as needed,
implementing IPsec flexibly.
Implementing ACL-based IPsec
To ensure a successful ACL-based IPsec setup, read the feature restrictions and guidelines carefully before
you configure an ACP-based IPsec tunnel.
Feature restrictions and guidelines
ACL-based IPsec can protect only traffic that is generated by the device and traffic that is destined for the
device. You cannot use an ACL-based IPsec tunnel to protect user traffic. In the ACL that is used to identify
IPsec protected traffic, ACL rules that match traffic forwarded through the device do not take effect. For
example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it
cannot protect traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches
an ACL permit rule. For more information about configuring an ACL for IPsec, see
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.
ACL-based IPsec configuration task list
The following is the generic configuration procedure for implementing ACL-based IPsec:
1.
Configure ACLs for identifying data flows to be protected.
2.
Configure IPsec transform sets to specify the security protocols, and authentication and encryption
algorithms.
"Configuring
302
FIPS."
"Configuring
ACLs."