[Contents] [Prev] [Next] [Index] [Report an Error]

Considering General IPSec Issues

Before you configure IPSec, it is helpful to understand some general guidelines.



Table 38: Comparison of IPSec Configuration Statements and
Operational Mode Commands for the AS PIC and ES PIC
AS PIC Statements and Commands
ES PIC Statements and Commands
Configuration Mode Statements

[edit service-set name]

[edit services ipsec-vpn ike]

  • policy {...}
  • proposal {...}

[edit security ike]

  • policy {...}
  • proposal {...}

[edit services ipsec-vpn ipsec]

  • policy {...}
  • proposal {...}

[edit security ipsec]

  • policy {...}
  • proposal {...}

[edit services ipsec-vpn rule rule-name]

  • remote-gateway address

[edit interface es-fpc/pic/port]

  • tunnel destination address

[edit services ipsec-vpn rule rule-name term term-name]

  • from match-conditions {...}
    then dynamic {...}
  • from match-conditions {...}
    then manual {...}

[edit security ipsec]

  • security-association name dynamic {...}
  • security-association name manual {...}

[edit services ipsec-vpn rule-set]

[edit services service-set ipsec-vpn]

  • local-gateway address

[edit interface es-fpc/pic/port]

  • tunnel source address
Operational Mode Commands

clear security pki ca-certificate

clear security pki certificate-request

clear security pki local-certificate

clear services ipsec-vpn certificates

request security pki ca-certificate enroll

request security certificate (unsigned)

request security pki ca-certificate load

request system certificate add

request security pki generate-certificate-request

request security pki generate-key-pair

request security key-pair

request security pki local-certificate enroll

request security certificate (signed)

request security pki local-certificate load

request system certificate add

show security pki ca-certificate

show system certificate

show security pki certificate-request

show security pki local-certificate

show system certificate

show services ipsec-vpn certificates

show ipsec certificates

show services ipsec-vpn ike security-associations

show ike security-associations

show services ipsec-vpn ipsec security-associations

show ipsec security-associations


NOTE: Keep in mind the following limitations of IPSec services on the AS PIC:

  • The AS PIC does not transport packets containing IPv4 options across IPSec tunnels. If you try to send packets containing IP options across an IPSec tunnel, the packets are dropped. Also, if you issue a ping command with the record-route option across an IPSec tunnel, the ping fails.
  • The AS PIC does not transport packets containing the following IPv6 options across IPSec tunnels: hop-by-hop, destination (Type 1 and 2), and routing. If you try to send packets containing these IPv6 options across an IPSec tunnel, the packets are dropped.
  • Destination class usage is not supported with IPSec services on the AS PIC.

[Contents] [Prev] [Next] [Index] [Report an Error]