Table of Contents
Advertisement
Chapter 5: Configuring IPSec
Secure IP interfaces are a logical representation of a secure connection between two
security endpoints, one of which is the local system. The remote endpoint can be
another security gateway or a host.
RFC 2401 Compliance
RFC 2401 states that a security policy database (SPD) must exist for each physical
interface in the router, and an administrator must configure these SPDs to determine
which traffic must be IPSec-protected, not IPSec-protected, or denied. The ERX router
does not support a systemwide SPD. Instead, the router takes advantage of routing
policies that are applied to physical interfaces to describe which traffic to forward to
a single IPSec tunnel, which traffic to discard, and so on. The router also applies
IPSec selectors to traffic going into or coming out of a secure tunnel so that unwanted
traffic is not allowed inside the tunnel. Supported selectors include IP addresses,
subnets, and IP address ranges. An implementation that strictly follows RFC 2401
requires a separate IPSec tunnel for each SPD entry.
IPSec Protocol Stack
Figure 12 on page 129 shows the protocol stack on a client, an IPSec gateway, and a
server. In the figure, HTTP and TCP are examples of higher-level protocols involved
in the end-to-end communication; other end-to-end communication protocols are
also supported. The layers where the data can be encrypted are shown in gray.
Figure 12: IPSec Tunneling Stack
Figure 13 on page 130 shows the packet encapsulation for IPSec tunneling.
129
IPSec Concepts
Advertisement
Table of Contents
Need help?
Do you have a question about the IP SERVICES - CONFIGURATION GUIDE V 11.1.X and is the answer not in the manual?