Table of Contents
Advertisement
Figure 14: IPSec Security Parameters in Relation to the Secure IP Interface
Manual Versus Signaled Interfaces
The router supports both manual and signaled interfaces:
Manual interfaces use a preconfigured set of SA parameters to secure traffic
flowing through a secure IP interface. If SA parameters do not use a preconfigured,
manual secure interface, the interface drops all traffic it receives. The router
keeps statistics for dropped traffic. Both peer security gateways must contain a
manually provisioned manual secure IP tunnel.
Signaled interfaces negotiate an SA on demand with the remote security gateway.
The remote security gateway must also support SA negotiation; otherwise the
gateway drops traffic. Again, the router keeps statistics for dropped traffic.
The router supports SA negotiation within an IKE SA by means of the ISAKMP
and IKE protocols. Only one IKE SA is maintained between a set of local and
remote IKE endpoints. That means that if an IKE SA already exists between the
two endpoints, it is reused.
Secure IP interface parameters can be required, optional, or not applicable, depending
on whether the interface is manual or signaled. Table 10 on page 132 presents how
the other security parameters fit with manual and signaled interfaces.
Chapter 5: Configuring IPSec
131
IPSec Concepts
Advertisement
Table of Contents
