You configure secure peering for the selected optimization policy in the Secure Peering (IPSEC) page.

Enabling IPsec encryption makes it difficult for a third party to view your data or pose as a computer you expect to receive data from. To enable IPsec, you must specify at least one encryption and authentication algorithm. Only optimized data is protected, pass-through traffic isn’t.

RiOS doesn’t support IPsec over IPv6.

In RiOS 9.0 and later, IPsec secure peering and the secure transport service are mutually exclusive. The secure transport service is enabled by default. Before you enable IPsec secure peering, you must disable the secure transport service by entering the no stp-client enable command at the system prompt.

You must set IPsec support on each peer SteelHead in your network for which you want to establish a secure connection. You must also specify a shared secret on each peer SteelHead.

If you NAT traffic between SteelHeads, you can’t use the IPsec channel between the SteelHeads because the NAT changes the packet headers, causing IPsec to reject them.

For details about secure peering, see the SteelHead User Guide.

The Secure Peering (IPSEC) page contains these groups of settings:

These configuration options are available:

Enables authentication between appliance. By default, this option is disabled.

Enables additional security by renegotiating keys at specified intervals. If one key is compromised, subsequent keys are secure because they’re not derived from previous keys. By default, this option is enabled.

Specifies the Internet Key Exchange (IKE) encryption policy:

Internet Key Exchange (IKE) is the protocol that ensures a secure, authenticated communications channel between two peers.

Specifies the IKE authentication policy:

Specifies one of these Encapsulating Security Payload (ESP) encryption methods from the drop-down list:

Optionally, select an algorithm from the method 2, 3, 4, or 5 drop-down lists to create a prioritized list of encryption policies for negotiating between peers.

Peer appliances must both have a valid Enhanced Cryptography License Key installed to use 3DES, AES, or AES256. When an appliance has the valid Enhanced Cryptography License Key installed and an IPsec encryption level is set to 3DES or AES, and a peer SCC doesn’t have a valid Enhanced Cryptography License Key installed, the appliances uses the highest encryption level set on the appliance without the key.

Specifies one of these ESP authentication methods from the drop-down list:

Optionally, select an algorithm from the method 2 drop-down list to create a secondary policy for negotiating the authentication method to use between peers. If the first authentication policy negotiation fails, the peer appliances use the secondary policy to negotiate authentication

Specifies the number of minutes between quick-mode renegotiation of keys using the Internet Key Exchange (IKE) protocol.

IKE uses public key cryptography to provide the secure transmission of a secret key to a recipient so that the encrypted data can be decrypted at the other end. The default value is 240 minutes.

Specifies the IKE authentication mode:

Specifies the shared secret. All the appliances in a network for that you want to use IPsec must have the same shared secret.

Confirms the shared secret.

Displays the controls to add a new secure peer.

Specifies the IP address for the peer appliance (in-path interface) for which you want to make a secure connection.

For WinSec Controller communication, the SteelHead typically uses the primary interface, not in-path interface.

Adds the peer specified in the Peer IP Address text box. If a connection hasn’t been established between the two appliances that are configured to use IPsec security, the peers list doesn’t display the peer appliance status as mature.

Adding a peer causes a short service disruption (3-4 seconds) to the peer that’s configured to use IPsec security.