Configuring IPsec ························································································ 258
Overview ························································································································································ 258
Security association ······························································································································· 260
Authentication and encryption ················································································································ 260
IPsec implementation ····························································································································· 261
Protocols and standards ························································································································ 262
FIPS compliance ············································································································································ 262
IPsec tunnel establishment ···························································································································· 262
Implementing ACL-based IPsec ···················································································································· 263
Configuring an ACL ································································································································ 264
Configuring IPsec anti-replay ················································································································· 272
Enabling QoS pre-classify ······················································································································ 274
Configuration task list ····························································································································· 276
IPsec configuration examples ························································································································ 279
Configuring IPsec for RIPng ··················································································································· 284
Configuring IKE ··························································································· 288
Overview ························································································································································ 288
IKE negotiation process ························································································································· 288
IKE security mechanism ························································································································· 289
Protocols and standards ························································································································ 290
FIPS compliance ············································································································································ 290
IKE configuration task list ······························································································································· 290
Configuring an IKE profile ······························································································································ 291
Configuring an IKE proposal ·························································································································· 293
Configuring an IKE keychain ·························································································································· 294
Configuring IKE DPD ····································································································································· 296
Enabling invalid SPI recovery ························································································································ 297
Displaying and maintaining IKE ····················································································································· 298
IKE configuration examples ··························································································································· 299
Verifying the configuration ······················································································································ 301
Troubleshooting IKE ······································································································································ 301
vi