HPE FlexFabric 7900 Series Security Configuration Manual page 6

IKE negotiation failed because no matching IKE proposals were found ······································· 153
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 153
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 154
IPsec SA negotiation failed due to invalid identity information ··················································· 154
Configuring IKEv2 ········································································ 158
Overview ······························································································································ 158
IKEv2 negotiation process ································································································· 158
New features in IKEv2 ······································································································ 159
Protocols and standards ··································································································· 159
IKEv2 configuration task list ····································································································· 159
Configuring an IKEv2 profile ····································································································· 160
Configuring an IKEv2 policy ····································································································· 163
Configuring an IKEv2 proposal ·································································································· 163
Configuring an IKEv2 keychain ································································································· 165
Configure global IKEv2 parameters ···························································································· 166
Enabling the cookie challenging feature ··············································································· 166
Configuring the IKEv2 DPD feature ····················································································· 166
Configuring the IKEv2 NAT keepalive feature ········································································ 166
Displaying and maintaining IKEv2 ······························································································ 167
IKEv2 configuration examples ··································································································· 167
IKEv2 with pre-shared key authentication configuration example ··············································· 167
IKEv2 with RSA signature authentication configuration example ················································ 170
Troubleshooting IKEv2 ············································································································ 175
IKEv2 negotiation failed because no matching IKEv2 proposals were found ································· 175
IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 175
IPsec tunnel establishment failed ························································································ 175
Configuring SSH ·········································································· 177
Overview ······························································································································ 177
How SSH works ·············································································································· 177
SSH authentication methods ······························································································ 178
SSH support for Suite B ···································································································· 179
FIPS compliance···················································································································· 180
Configuring the device as an SSH server ···················································································· 180
SSH server configuration task list ······················································································· 180
Generating local key pairs ································································································· 180
Enabling the Stelnet server ································································································ 181
Enabling the SFTP server ································································································· 181
Enabling the SCP server ··································································································· 182
Enabling NETCONF over SSH ··························································································· 182
Configuring user lines for SSH login ···················································································· 182
Configuring a client's host public key ··················································································· 183
Configuring an SSH user ·································································································· 184
Setting the SSH management parameters ············································································ 185
Specifying a PKI domain for the SSH server ·········································································· 186
Configuring the device as an Stelnet client ·················································································· 187
Stelnet client configuration task list ······················································································ 187
Specifying the source IP address for SSH packets ································································· 187
Establishing a connection to an Stelnet server ······································································· 187
Establishing a connection to an Stelnet server based on Suite B ··············································· 189
Configuring the device as an SFTP client ···················································································· 189
SFTP client configuration task list ······················································································· 189
Specifying the source IP address for SFTP packets ································································ 189
Establishing a connection to an SFTP server ········································································· 190
Establishing a connection to an SFTP server based on Suite B ················································· 192
Working with SFTP directories ··························································································· 192
Working with SFTP files ···································································································· 193
Displaying help information ································································································ 193
Terminating the connection with the SFTP server ··································································· 193
Configuring the device as an SCP client ····················································································· 193
Establishing a connection to an SCP server ·········································································· 193
iv