R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
iv
IPsec for IPv6 routing protocols ·························································································································· 151
IPsec RRI································································································································································ 151
IPsec stateful failover ··········································································································································· 152
Protocols and standards ····································································································································· 153
IPsec implementation ··················································································································································· 153
Configuring ACL-based IPsec in the web interface ·································································································· 153
Configuration considerations ····························································································································· 153
Recommended configuration procedure ··········································································································· 154
Configuring ACLs ················································································································································ 154
Configuring an IPsec proposal ·························································································································· 158
Configuring an IPsec policy template ················································································································ 161
Configuring an IPsec policy ······························································································································· 164
Applying an IPsec policy group ························································································································· 166
Displaying IPsec SAs ··········································································································································· 167
Displaying packet statistics ································································································································· 167
Configuring ACL-based IPsec at the CLI ···················································································································· 168
Configuration task list ········································································································································· 168
Configuring ACLs ················································································································································ 168
Configuring an IPsec proposal ·························································································································· 170
Configuring a manual IPsec policy···················································································································· 171
Configuring an IPsec policy that uses IKE ········································································································· 173
Applying an IPsec policy group to an interface ······························································································· 176
Enabling the encryption engine ························································································································· 177
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 177
Configuring the IPsec anti-replay function ········································································································ 177
Configuring packet information pre-extraction ································································································ 178
Enabling invalid SPI recovery ···························································································································· 179
Configuring IPsec RRI ·········································································································································· 179
Configuring tunnel interface-based IPsec ·················································································································· 180
Configuration task list ········································································································································· 180
Configuring an IPsec profile ······························································································································· 181
Configuring an IPsec tunnel interface ··············································································································· 183
Enabling packet information pre-extraction on the IPsec tunnel interface ····················································· 184
Applying a QoS policy to an IPsec tunnel interface ························································································ 184
Configuring IPsec for IPv6 routing protocols ············································································································· 185
Configuring IPsec stateful failover ······························································································································ 185
Configuration prerequisites ································································································································ 185
Configuration procedure ···································································································································· 186
Displaying and maintaining IPsec ······························································································································ 186
IPsec configuration examples······································································································································ 187
Manual mode IPsec tunnel for IPv4 packets configuration example in the web interface ·························· 187
Manual mode IPsec tunnel for IPv4 packets configuration example at the CLI ············································ 193
IKE-based IPsec tunnel for IPv4 packets configuration example ····································································· 196
IPsec with IPsec tunnel interfaces configuration example················································································ 198
IPsec for RIPng configuration example ·············································································································· 202
IPsec RRI configuration example ························································································································ 206
IPsec stateful failover configuration example ··································································································· 208
IPsec configuration guidelines ···································································································································· 216
IPSec VPN configuration wizard ···························································································································· 218
IPSec VPN configuration wizard overview················································································································ 218
Configuring an IPsec VPN ··········································································································································· 218
Launching the IPsec VPN policy configuration wizard ···················································································· 218
Configuring a center node ································································································································· 219
Configuring a branch node································································································································ 222