R3303-HP HSR6800 Routers Security Configuration Guide
vii
Protocols and standards ····································································································································· 288
FIPS compliance ··························································································································································· 288
IKE configuration task list ············································································································································ 288
Configuring a name for the local security gateway ································································································· 289
Configuring an IKE proposal ······································································································································ 289
Configuring an IKE peer ·············································································································································· 290
Setting keepalive timers ··············································································································································· 293
Setting the NAT keepalive timer ································································································································· 293
Configuring a DPD detector ········································································································································ 293
Disabling next payload field checking ······················································································································ 294
Displaying and maintaining IKE ································································································································· 294
IKE configuration examples ········································································································································ 295
Configuring main mode IKE with pre-shared key authentication ··································································· 295
Configuring aggressive mode IKE with NAT traversal ···················································································· 299
Troubleshooting IKE ····················································································································································· 302
Invalid user ID ······················································································································································ 302
Proposal mismatch ·············································································································································· 303
Failing to establish an IPsec tunnel ···················································································································· 303
ACL configuration error ······································································································································ 304
Configuring SSH ····················································································································································· 305
Overview ······································································································································································· 305
How SSH works ··················································································································································· 305
SSH authentication ·············································································································································· 306
SSH support for MPLS L3VPN ···························································································································· 307
FIPS compliance ··························································································································································· 308
Configuring the device as an SSH server ·················································································································· 308
SSH server configuration task list ······················································································································ 308
Generating local DSA or RSA key pairs ··········································································································· 308
Enabling the SSH server function ······················································································································· 309
Enabling the SFTP server function ······················································································································ 309
Configuring the user interfaces for SSH clients ································································································ 309
Configuring a client's host public key ··············································································································· 310
Configuring an SSH user ···································································································································· 311
Setting the SSH management parameters ········································································································ 312
Configuring the device as an Stelnet client ··············································································································· 313
Stelnet client configuration task list ···················································································································· 313
Specifying a source IP address or source interface for the Stelnet client ······················································ 314
Enabling and disabling first-time authentication ······························································································ 314
Establishing a connection to an Stelnet server ································································································· 315
Configuring the device as an SFTP client ·················································································································· 316
SFTP client configuration task list ······················································································································· 316
Specifying a source IP address or source interface for the SFTP client ························································· 317
Establishing a connection to an SFTP server ···································································································· 317
Working with SFTP directories ··························································································································· 318
Working with SFTP files ······································································································································ 319
Displaying help information ······························································································································· 320
Terminating the connection with the SFTP server ····························································································· 320
Configuring the device as an SCP client ··················································································································· 320
SCP client configuration task list ························································································································ 320
Transferring files with an SCP server ················································································································· 321
Displaying and maintaining SSH ······························································································································· 321
Stelnet configuration examples ··································································································································· 322
Password authentication enabled Stelnet server configuration example ······················································ 322
Publickey authentication enabled Stelnet server configuration example ······················································· 324