Protocols and standards
Protocols and standards relevant to IPsec are as follows:
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
Configuring IPsec
IPsec can be implemented based on only ACLs. ACL-based IPsec uses ACLs to identify the data flows to
be protected. To implement ACL-based IPsec, configure IPsec policies, reference ACLs in the policies, and
apply the policies to physical interfaces. By using ACLs, you can customize IPsec policies as needed,
implementing IPsec flexibly.
Implementing ACL-based IPsec
ACL-based IPsec can be used to protect the data flow between the local device and the peer end of the
IPsec tunnel, rather than the forwarded data flow.
Feature Restrictions
The device provides IPsec protection only for traffic that is generated by the device and traffic that is
destined for the device. You cannot use IPsec to protect user traffic. In the ACL that is used to identify IPsec
protected traffic, ACL rules that match traffic forwarded through the device do not take effect. For
example, an IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect
traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches an ACL permit
rule. For more information about configuring an ACL for IPsec, see
ACL-based IPsec configuration task list
The following is the generic configuration procedure for implementing ACL-based IPsec:
Configure ACLs for identifying data flows to be protected.
1.
Configure IPsec proposals to specify the security protocols, authentication and encryption
2.
algorithms, and encapsulation mode.
Configure IPsec policies to associate data flows with IPsec proposals and specify the SA
3.
negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required
keys, and the SA lifetime.
Apply the IPsec policies to interfaces to finish IPsec configuration.
4.
To configure ACL-based IPsec:
Task
Configuring ACLs
Configuring an IPsec proposal
Configuring an IPsec policy
Applying an IPsec policy group to an interface
227
"Configuring
ACLs."
Remarks
Required.
Basic IPsec configuration.