Managing public keys ············································································································································ 155
Overview ······································································································································································· 155
Configuring IPsec ···················································································································································· 165
Overview ······································································································································································· 165
Basic concepts ····················································································································································· 165
IPsec RRI································································································································································ 168
Protocols and standards ····································································································································· 168
Implementing IPsec ······················································································································································· 168
Implementing ACL-based IPsec ··································································································································· 169
Configuring an ACL ············································································································································ 169
Configuring an IPsec proposal ·························································································································· 172
Configuring an IPsec policy ······························································································································· 174
Enabling invalid SPI recovery ···························································································································· 180
Configuring IPsec RRI ·········································································································································· 181
Displaying and maintaining IPsec ······························································································································ 183
IPsec configuration examples······································································································································ 183
Configuring IPsec for RIPng ································································································································ 189
Configuring IPsec RRI ·········································································································································· 192
Configuring IKE ······················································································································································· 196
Overview ······································································································································································· 196
IKE security mechanism ······································································································································· 196
IKE operation ······················································································································································· 196
IKE functions ························································································································································· 197
Protocols and standards ····································································································································· 198
IKE configuration task list ············································································································································ 198
Configuring an IKE proposal ······································································································································ 199
Configuring an IKE peer ·············································································································································· 200
Setting keepalive timers ··············································································································································· 202
Setting the NAT keepalive timer ································································································································· 203
Configuring a DPD detector ········································································································································ 203
Displaying and maintaining IKE ································································································································· 204
iv