PKI configuration examples ········································································································································· 230

Requesting a certificate from an RSA Keon CA server ···················································································· 230

Requesting a certificate from a Windows Server 2003 CA server ······························································· 233

Requesting a certificate from an OpenCA server ···························································································· 236

Certificate import and export configuration example ····················································································· 240

Troubleshooting PKI configuration ······························································································································ 245

Failed to obtain the CA certificate ····················································································································· 245

Failed to obtain local certificates ······················································································································· 245

Failed to request local certificates ····················································································································· 246

Failed to obtain CRLs ·········································································································································· 247

Failed to import the CA certificate ····················································································································· 248

Failed to import a local certificate ····················································································································· 248

Failed to export certificates ································································································································ 249

Failed to set the storage path ····························································································································· 249

Configuring IPsec ···················································································································································· 250

Overview ······································································································································································· 250

Security protocols and encapsulation modes ··································································································· 251

Security association ············································································································································· 252

Authentication and encryption ··························································································································· 253

IPsec implementation ··········································································································································· 253

Protocols and standards ····································································································································· 254

FIPS compliance ··························································································································································· 254

IPsec tunnel establishment ··········································································································································· 254

Implementing ACL-based IPsec ··································································································································· 255

Feature restrictions and guidelines ···················································································································· 255

ACL-based IPsec configuration task list ············································································································· 255

Configuring an ACL ············································································································································ 256

Configuring an IPsec transform set ···················································································································· 257

Configuring a manual IPsec policy···················································································································· 258

Configuring an IKE-based IPsec policy ············································································································· 260

Applying an IPsec policy to an interface ·········································································································· 264

Enabling ACL checking for de-encapsulated packets ······················································································ 264

Configuring the IPsec anti-replay function ········································································································ 265

Configuring IPsec anti-replay redundancy ········································································································ 266

Binding a source interface to an IPsec policy ·································································································· 266

Enabling QoS pre-classify ·································································································································· 267

Enabling logging of IPsec packets ····················································································································· 268

Configuring the DF bit of IPsec packets ············································································································ 268

Configuring IPsec for IPv6 routing protocols ············································································································· 269

Configuration task list ········································································································································· 269

Configuring a manual IPsec profile ··················································································································· 269

Configuring SNMP notifications for IPsec ················································································································· 270

Displaying and maintaining IPsec ······························································································································ 271

IPsec configuration examples······································································································································ 272

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 272

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 274

Configuring IPsec for RIPng ································································································································ 277

Configuring IKE ······················································································································································· 281

IKE negotiation process ······································································································································ 281

IKE security mechanism ······································································································································· 282