Configuring a manual IPsec profile ··················································································································· 238

Configuring SNMP notifications for IPsec ················································································································· 240

Displaying and maintaining IPsec ······························································································································ 240

IPsec configuration examples······································································································································ 241

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 241

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 243

Configuring IPsec for RIPng ································································································································ 246

Configuring IKE ······················································································································································· 250

Overview ······································································································································································· 250

IKE negotiation process ······································································································································ 250

IKE security mechanism ······································································································································· 251

Protocols and standards ····································································································································· 252

FIPS compliance ··························································································································································· 252

IKE configuration prerequisites ··································································································································· 252

IKE configuration task list ············································································································································ 252

Configuring an IKE profile ·········································································································································· 253

Configuring an IKE proposal ······································································································································ 255

Configuring an IKE keychain ······································································································································ 256

Configuring the global identity information ·············································································································· 257

Configuring the IKE keepalive function ······················································································································ 258

Configuring the IKE NAT keepalive function ············································································································ 259

Configuring IKE DPD···················································································································································· 259

Enabling invalid SPI recovery ····································································································································· 260

Setting the maximum number of IKE SAs ··················································································································· 260

Configuring SNMP notifications for IKE ···················································································································· 261

Displaying and maintaining IKE ································································································································· 261

IKE configuration examples ········································································································································ 262

Main mode IKE with pre-shared key authentication configuration example ················································ 262

Verifying the configuration ································································································································· 264

Troubleshooting IKE ····················································································································································· 264

IKE negotiation failed because no matching IKE proposals were found ······················································· 264

IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly····················· 265

IPsec SA negotiation failed because no matching IPsec transform sets were found ···································· 266

IPsec SA negotiation failed due to invalid identity information ······································································ 266

Configuring SSH ····················································································································································· 269

How SSH works ··················································································································································· 269

SSH authentication methods ······························································································································· 270

Configuring the device as an SSH server ·················································································································· 272

SSH server configuration task list ······················································································································ 272

Generating local key pairs ································································································································· 272

Enabling the SSH server function ······················································································································· 273

Enabling the SFTP server function ······················································································································ 274

Configuring NETCONF over SSH ····················································································································· 274

Configuring the user lines for SSH login ··········································································································· 274

Configuring a client's host public key ··············································································································· 275

Configuring an SSH user ···································································································································· 276

Setting the SSH management parameters ········································································································ 277

Configuring the device as an Stelnet client ··············································································································· 278

Stelnet client configuration task list ···················································································································· 278

Specifying the source IP address for SSH packets ··························································································· 279

Establishing a connection to an Stelnet server ································································································· 279