254
IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the
ACL, the device processes the packet. Otherwise, it drops the packet.
The device supports the following data flow protection modes:
•
Standard mode
—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule
is protected by one IPsec tunnel that is established solely for it.
•
Aggregation mode
—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
This mode is only used to communicate with old-version devices.
•
Per-host mode
—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is
identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode
consumes more system resources when multiple data flows exist between two subnets to be
protected.
Application-based IPsec
This IPsec implementation method does not require an ACL. All packets of the application bound to an
IPsec profile are encapsulated with IPsec, and all packets of the applications that are not bound with
IPsec and the IPsec packets that failed to be de-encapsulated are dropped.
You can use IPsec to protect an IPv6 routing protocol by using this method. The supported IPv6 routing
protocols include RIPng.
In one-to-many communication scenarios, you must configure the IPsec SAs for an IPv6 routing protocol
in manual mode because of the following reasons:
•
The automatic key exchange mechanism is used only to protect communications between two
points. In one-to-many communication scenarios, automatic key exchange cannot be implemented.
•
One-to-many communication scenarios require that all the devices use the same SA parameters (SPI
and key) to receive and send packets. IKE negotiated SAs cannot meet this requirement.
Protocols and standards
•
RFC 2401,
Security Architecture for the Internet Protocol
•
RFC 2402,
IP Authentication Header
•
RFC 2406,
IP Encapsulating Security Payload
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "
") and non-FIPS mode.
IPsec tunnel establishment
IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec tunnels
according to your network conditions:
•
ACL-based IPsec tunnel
—Protects packets identified by an ACL. To establish an ACL-based IPsec
tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an
interface (see "
"). The IPsec tunnel establishment steps are the same
in an IPv4 network and in an IPv6 network.