R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
vi
Verifying PKI certificates with CRL checking ····································································································· 234
Verifying PKI certificates without CRL checking································································································ 235
Destroying the local RSA key pair ······························································································································ 235
Removing a certificate ················································································································································· 235
Configuring an access control policy ························································································································ 236
Displaying and maintaining PKI ································································································································· 236
PKI configuration examples ········································································································································· 237
Certificate request from an RSA Keon CA server ···························································································· 237
Certificate request from a Windows 2003 CA server ···················································································· 240
IKE negotiation with RSA digital signature ······································································································· 243
Certificate access control policy configuration ································································································ 245
Troubleshooting PKI ····················································································································································· 247
Failed to obtain a CA certificate ······················································································································· 247
Failed to request a local certificate ··················································································································· 247
Failed to obtain CRLs ·········································································································································· 248
Configuring IPsec ···················································································································································· 249
Overview ······································································································································································· 249
Basic concepts ····················································································································································· 249
IPsec tunnel interface ··········································································································································· 252
IPsec for IPv6 routing protocols ·························································································································· 253
IPsec RRI································································································································································ 253
Protocols and standards ····································································································································· 254
FIPS compliance ··························································································································································· 254
Implementing IPsec ······················································································································································· 254
Implementing ACL-based IPsec ··································································································································· 255
Configuring an ACL ············································································································································ 255
Configuring an IPsec transform set ···················································································································· 258
Configuring an IPsec policy ······························································································································· 259
Applying an IPsec policy group to an interface ······························································································· 265
Enabling the encryption engine ························································································································· 265
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 266
Configuring the IPsec anti-replay function ········································································································ 266
Configuring packet information pre-extraction ································································································ 267
Enabling invalid SPI recovery ···························································································································· 267
Configuring IPsec RRI ·········································································································································· 268
Enabling IPsec packet fragmentation before/after encryption ······································································· 269
Implementing tunnel interface-based IPsec ················································································································ 270
Configuring an IPsec profile ······························································································································· 270
Configuring an IPsec tunnel interface ··············································································································· 272
Enabling packet information pre-extraction on the IPsec tunnel interface ····················································· 274
Applying a QoS policy to an IPsec tunnel interface ························································································ 274
Configuring IPsec for IPv6 routing protocols ············································································································· 275
Displaying and maintaining IPsec ······························································································································ 275
IPsec configuration examples······································································································································ 276
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 276
Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 278
Configuring IKE-based IPsec tunnel for IPv6 packets ······················································································· 280
Configuring IPsec with IPsec tunnel interfaces·································································································· 282
Configuring IPsec for RIPng ································································································································ 286
Configuring IPsec RRI ·········································································································································· 290
Configuring IKE ······················································································································································· 294
Overview ······································································································································································· 294
IKE security mechanism ······································································································································· 294