Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
12345678910
vii
FIPS compliance ··························································································································································· 289
Security strength ··························································································································································· 289
IKE configuration prerequisites ··································································································································· 289
IKE configuration task list ············································································································································ 290
Configuring an IKE profile ·········································································································································· 290
Configuring an IKE proposal ······································································································································ 292
Configuring an IKE keychain ······································································································································ 293
Configuring the global identity information ·············································································································· 294
Configuring the IKE keepalive function ······················································································································ 295
Configuring the IKE NAT keepalive function ············································································································ 296
Configuring IKE DPD···················································································································································· 296
Enabling invalid SPI recovery ····································································································································· 297
Setting the maximum number of IKE SAs ··················································································································· 297
Configuring SNMP notifications for IKE ···················································································································· 298
Displaying and maintaining IKE ································································································································· 298
IKE configuration examples ········································································································································ 299
Main mode IKE with pre-shared key authentication configuration example ················································ 299
Aggressive mode with RSA signature authentication configuration example ·············································· 303
Aggressive mode with NAT traversal configuration example ········································································ 310
Troubleshooting IKE ····················································································································································· 314
IKE negotiation failed because no matching IKE proposals were found ······················································· 314
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly····················· 315
IPsec SA negotiation failed because no matching IPsec transform sets were found ···································· 315
IPsec SA negotiation failed due to invalid identity information ······································································ 316
Configuring SSH ····················································································································································· 319
Overview ······································································································································································· 319
How SSH works ··················································································································································· 319
SSH authentication methods ······························································································································· 320
FIPS compliance ··························································································································································· 321
Security strength ··························································································································································· 321
Configuring the device as an SSH server ·················································································································· 321
SSH server configuration task list ······················································································································ 321
Generating local DSA or RSA key pairs ··········································································································· 322
Enabling the SSH server function ······················································································································· 323
Enabling the SFTP server function ······················································································································ 323
Configuring the user lines for Stelnet clients ····································································································· 323
Configuring a client's host public key ··············································································································· 324
Configuring an SSH user ···································································································································· 325
Setting the SSH management parameters ········································································································ 326
Configuring the device as an Stelnet client ··············································································································· 327
Stelnet client configuration task list ···················································································································· 327
Specifying the source IP address for SSH packets ··························································································· 327
Establishing a connection to an Stelnet server ································································································· 328
Configuring the device as an SFTP client ·················································································································· 330
SFTP client configuration task list ······················································································································· 330
Specifying the source IP address for SFTP packets ·························································································· 331
Establishing a connection to an SFTP server ···································································································· 331
Working with SFTP directories ··························································································································· 333
Working with SFTP files ······································································································································ 334
Displaying help information ······························································································································· 334
Terminating the connection with the SFTP server ····························································································· 334
Configuring the device as an SCP client ··················································································································· 335
Displaying and maintaining SSH ······························································································································· 336
Stelnet configuration examples ··································································································································· 337