240Configuring IPsecCAUTION:If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules matchthe QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SAto different queues, causing packets to be sent out of order. When IPsec anti-replay is enabled, IPsec willdrop the incoming packets that are out of the anti-replay window, resulting in packet loss.IPsec traffic classification rules are determined by the referenced ACL rules. For information about QoSclassification rules, seeACL and QoS Configuration Guide.OverviewIP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptographically-basedsecurity for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channelestablished between two endpoints (such as two security gateways). Such a secure channel is usuallycalled an IPsec tunnel.IPsec is a security framework that comprises a set of protocols, including Authentication Header (AH),Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms for authenticationand encryption. AH and ESP are security protocols that provide security services. IKE performs automatickey exchange.IPsec provides the following security services for data packets in the IP layer:• Confidentiality—The sender encrypts packets before transmitting them over the Internet, protectingthe packets from being eavesdropped en route.• Data integrity—The receiver verifies the packets received from the sender to make sure they are nottampered with during transmission.• Data origin authentication—The receiver verifies the authenticity of the sender.• Anti-replay—The receiver examines packets and drops outdated and duplicate packets.IPsec delivers the following benefits:• Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol. IKEprovides automatic key negotiation and automatic IPsec security association (SA) setup andmaintenance.• Good compatibility. You can apply IPsec to all IP-based application systems and services withoutmodifying them.• Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibilityand greatly enhances IP security.