Manualshelf

HP MSR2000/3000/4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
12345678910
v
Configuring IKE ······················································································································································· 179
Overview ······································································································································································· 179
IKE negotiation process ······································································································································ 179
IKE security mechanism ······································································································································· 180
Protocols and standards ····································································································································· 181
IKE configuration prerequisites ··································································································································· 181
IKE configuration task list ············································································································································ 181
Configuring an IKE profile ·········································································································································· 182
Configuring an IKE proposal ······································································································································ 184
Configuring an IKE keychain ······································································································································ 185
Configuring the global identity information ·············································································································· 186
Configuring the IKE keepalive function ······················································································································ 187
Configuring the IKE NAT keepalive function ············································································································ 187
Configuring IKE DPD···················································································································································· 188
Enabling invalid SPI recovery ····································································································································· 188
Setting the maximum number of IKE SAs ··················································································································· 189
Configuring SNMP notifications for IKE ···················································································································· 189
Displaying and maintaining IKE ································································································································· 190
IKE configuration examples ········································································································································ 190
Main mode IKE with pre-shared key authentication configuration example ················································ 190
Aggressive mode with RSA signature authentication configuration example ·············································· 194
Aggressive mode with NAT traversal configuration example ········································································ 201
Troubleshooting IKE ····················································································································································· 205
IKE negotiation failed because no matching IKE proposals were found ······················································· 205
IKE negotiation failed due to malformed payload ··························································································· 206
IPsec SA negotiation failed because no matching IPsec transform sets were found ···································· 206
IPsec SA negotiation failed due to invalid identity information ······································································ 207
Configuring SSH ····················································································································································· 210
Overview ······································································································································································· 210
How SSH works ··················································································································································· 210
SSH authentication methods ······························································································································· 211
FIPS compliance ··························································································································································· 212
Configuring the device as an SSH server ·················································································································· 212
SSH server configuration task list ······················································································································ 212
Generating local DSA or RSA key pairs ··········································································································· 212
Enabling the SSH server function ······················································································································· 213
Enabling the SFTP server function ······················································································································ 213
Configuring the user lines for SSH clients ········································································································· 214
Configuring a client's host public key ··············································································································· 214
Configuring an SSH user ···································································································································· 215
Setting the SSH management parameters ········································································································ 216
Configuring the device as an Stelnet client ··············································································································· 217
Stelnet client configuration task list ···················································································································· 217
Specifying a source IP address or source interface for the Stelnet client ······················································ 218
Establishing a connection to an Stelnet server ································································································· 218
Configuring the device as an SFTP client ·················································································································· 220
SFTP client configuration task list ······················································································································· 220
Specifying a source IP address or source interface for the SFTP client ························································· 220
Establishing a connection to an SFTP server ···································································································· 220
Working with SFTP directories ··························································································································· 223
Working with SFTP files ······································································································································ 223
Displaying help information ······························································································································· 223
Terminating the connection with the SFTP server ····························································································· 224
Configuring the device as an SCP client ··················································································································· 224