IPsec tunnel establishment
CAUTION: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured. | ||
IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec tunnels according to your network conditions:
ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec tunnel, configure an IPsec policy, specify an ACL in the policy, and apply the policy to an interface (see "Implementing ACL-based IPsec"). The IPsec tunnel establishment steps are the same in an IPv4 network and in an IPv6 network.
Tunnel interface-based IPsec tunnel—Protects packets routed to the tunnel interface. To establish a tunnel interface-based IPsec tunnel, configure an IPsec profile and apply the IPsec profile to the tunnel interface (see "Configuring IPsec for tunnels"). This IPsec implementation simplifies IPsec VPN configuration and management, and improves the scalability of large VPN networks.
Application-based IPsec tunnel—Protects the packets of an application. This method can be used to protect IPv6 routing protocols. It does not require an ACL. For information about IPv6 routing protocol protection, see "Configuring IPsec for IPv6 routing protocols."