IPsec encryption helps secure data communication between peer SteelHeads by making it difficult for third parties to intercept or impersonate trusted devices. Only optimized traffic is encrypted—pass-through traffic is not.

To enable IPsec, you must choose at least one encryption and one authentication algorithm. This feature is optional and does not support IPv6.

Starting with RiOS 9.0, IPsec secure peering and the secure transport service cannot be used at the same time. Since secure transport is enabled by default, you must disable it before turning on IPsec by running the no stp-client enable command.

Each SteelHead that will use IPsec must have IPsec enabled individually and must share the same secret key with its peers.

If there is NAT traffic between SteelHeads, IPsec cannot be used because NAT modifies packet headers, which causes IPsec to reject the traffic.

For information on SSL peering beyond standard HTTPS, see About secure peers.