Failed to export certificates ···················································································································· 328
Configuring IPsec ······················································································ 330
Overview ························································································································································ 330
Security association ······························································································································· 332
Authentication and encryption ················································································································ 332
IPsec implementation ····························································································································· 333
IPsec RRI ··············································································································································· 334
Protocols and standards ························································································································ 335
FIPS compliance ············································································································································ 335
IPsec tunnel establishment ···························································································································· 335
Implementing ACL-based IPsec····················································································································· 335
Configuring an ACL ································································································································ 336
Configuring IPsec anti-replay ················································································································· 345
Enabling QoS pre-classify ······················································································································ 347
Configuring IPsec RRI ···························································································································· 349
Configuration task list ····························································································································· 350
IPsec configuration examples ························································································································ 353
Configuring IPsec for RIPng ··················································································································· 353
Configuring IKE ························································································· 357
Overview ························································································································································ 357
IKE negotiation process ························································································································· 357
IKE security mechanism ························································································································· 358
Protocols and standards ························································································································ 359
FIPS compliance ············································································································································ 359
IKE configuration task list ······························································································································· 359
Configuring an IKE profile ······························································································································ 360
Configuring an IKE proposal ·························································································································· 362
Configuring an IKE keychain ·························································································································· 363
Configuring IKE DPD ····································································································································· 366
Enabling invalid SPI recovery ························································································································ 366
Displaying and maintaining IKE ····················································································································· 368
IKE configuration examples ··························································································································· 369
viii