Workflow to configure IPsec

Stages
 

Provision an ISA tunnel MDA on each participating NE; see Chapter 11, Working with network objects and Chapter 13, Logical group object configuration for information about IPsec equipment configuration.

Use the following steps:

  1. Create or configure ISA-tunnel groups.

  2. Assign the active and backup tunnel group members to the ISA-tunnel groups.


Configure an IKE policy; see To configure an IPsec IKE policy.


Configure an IPsec transform policy; see To configure an IPsec transform policy.


If your network includes shared IPsec transform and IKE policies, configure an IPsec tunnel template; see To configure an IPsec tunnel template.


Configure an IPsec security policy; see To configure an IPsec security policy.


Configure a RADIUS authentication policy to apply to an IES or VPRN IPsec gateway; see To configure a RADIUS authentication policy.


Configure a RADIUS accounting policy to apply to an IES or VPRN IPsec gateway; see To configure a RADIUS accounting policy.


Configure a trust anchor profile; see To configure a trust anchor profile.


Configure a certificate profile; see To configure a certificate profile .


10 

If you are configuring IPsec on a VPRN, create the private-facing tunnel interface; see To configure a tunnel interface on an IES or VPRN.

Use the following steps:

  1. Create a private IPsec SAP.

  2. Configure ingress and egress policies.


11 

Create the public-facing tunnel interface; see To configure an IES or VPRN IPsec gateway.

Use the following steps:

  1. Create an L3 access interface on an IES or VPRN; see Chapter 78, IES management and Chapter 79, VPRN service management for information about creating L3 access interfaces.

  2. Define the IPsec public SAP for the L3 access interface.

  3. Specify the IPsec gateway, if required, on the NE.


12 

If you are configuring IPsec on a VPRN, create IPsec tunnels on the VPRN tunnel interface; see To configure an IPsec tunnel on a VPRN tunnel interface.


13 

Configure the static route; see To configure a static route on a routing instance.