Manualshelf

R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG TAA-compliant Router
12345678910
vii
IKE security mechanism ······································································································································· 297
IKE operation ······················································································································································· 297
IKE functions ························································································································································· 298
Relationship between IKE and IPsec ·················································································································· 299
Protocols and standards ····································································································································· 299
FIPS compliance ··························································································································································· 299
IKE configuration task list ············································································································································ 299
Configuring a name for the local security gateway ································································································· 300
Configuring an IKE proposal ······································································································································ 300
Configuring an IKE peer ·············································································································································· 301
Setting keepalive timers ··············································································································································· 304
Setting the NAT keepalive timer ································································································································· 304
Configuring a DPD detector ········································································································································ 304
Disabling next payload field checking ······················································································································ 305
Displaying and maintaining IKE ································································································································· 305
IKE configuration examples ········································································································································ 306
Configuring main mode IKE with pre-shared key authentication ··································································· 306
Configuring aggressive mode IKE with NAT traversal ···················································································· 310
Troubleshooting IKE ····················································································································································· 313
Invalid user ID ······················································································································································ 313
Proposal mismatch ·············································································································································· 314
Failing to establish an IPsec tunnel ···················································································································· 314
ACL configuration error ······································································································································ 315
Configuring SSH ····················································································································································· 316
Overview ······································································································································································· 316
How SSH works ··················································································································································· 316
SSH authentication ·············································································································································· 317
SSH support for MPLS L3VPN ···························································································································· 318
FIPS compliance ··························································································································································· 319
Configuring the device as an SSH server ·················································································································· 319
SSH server configuration task list ······················································································································ 319
Generating local DSA or RSA key pairs ··········································································································· 319
Enabling the SSH server function ······················································································································· 320
Enabling the SFTP server function ······················································································································ 320
Configuring the user interfaces for SSH clients ································································································ 320
Configuring a client's host public key ··············································································································· 321
Configuring an SSH user ···································································································································· 322
Setting the SSH management parameters ········································································································ 323
Configuring the device as an Stelnet client ··············································································································· 324
Stelnet client configuration task list ···················································································································· 324
Specifying a source IP address or source interface for the Stelnet client ······················································ 325
Enabling and disabling first-time authentication ······························································································ 325
Establishing a connection to an Stelnet server ································································································· 326
Configuring the device as an SFTP client ·················································································································· 327
SFTP client configuration task list ······················································································································· 327
Specifying a source IP address or source interface for the SFTP client ························································· 327
Establishing a connection to an SFTP server ···································································································· 328
Working with SFTP directories ··························································································································· 328
Working with SFTP files ······································································································································ 329
Displaying help information ······························································································································· 330
Terminating the connection with the SFTP server ····························································································· 330
Configuring the device as an SCP client ··················································································································· 330
SCP client configuration task list ························································································································ 331
Transferring files with an SCP server ················································································································· 331