IKE configuration prerequisites ··································································································································· 283

IKE configuration task list ············································································································································ 283

Configuring an IKE profile ·········································································································································· 284

Configuring an IKE proposal ······································································································································ 286

Configuring an IKE keychain ······································································································································ 287

Configuring the global identity information ·············································································································· 288

Configuring the IKE keepalive function ······················································································································ 289

Configuring the IKE NAT keepalive function ············································································································ 289

Configuring IKE DPD···················································································································································· 290

Enabling invalid SPI recovery ····································································································································· 291

Setting the maximum number of IKE SAs ··················································································································· 291

Configuring SNMP notifications for IKE ···················································································································· 291

Displaying and maintaining IKE ································································································································· 292

IKE configuration examples ········································································································································ 292

Main mode IKE with pre-shared key authentication configuration example ················································ 292

Verifying the configuration ································································································································· 295

Troubleshooting IKE ····················································································································································· 295

IKE negotiation failed because no matching IKE proposals were found ······················································· 295

IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly····················· 296

IPsec SA negotiation failed because no matching IPsec transform sets were found ···································· 296

IPsec SA negotiation failed due to invalid identity information ······································································ 297

Configuring SSH ····················································································································································· 300

Overview ······································································································································································· 300

How SSH works ··················································································································································· 300

SSH authentication methods ······························································································································· 301

FIPS compliance ··························································································································································· 302

Configuring the device as an SSH server ·················································································································· 303

SSH server configuration task list ······················································································································ 303

Generating local key pairs ································································································································· 303

Enabling the Stelnet server ································································································································· 304

Enabling the SFTP server ···································································································································· 304

Enabling the SCP server ····································································································································· 305

Configuring NETCONF over SSH ····················································································································· 305

Configuring user lines for SSH login ················································································································· 305

Configuring a client's host public key ··············································································································· 306

Configuring an SSH user ···································································································································· 307

Configuring the SSH management parameters ······························································································· 308

Configuring the device as an Stelnet client ··············································································································· 310

Stelnet client configuration task list ···················································································································· 310

Specifying the source IP address for SSH packets ··························································································· 310

Establishing a connection to an Stelnet server ································································································· 310

Configuring the device as an SFTP client ·················································································································· 312

SFTP client configuration task list ······················································································································· 312

Specifying the source IP address for SFTP packets ·························································································· 312

Establishing a connection to an SFTP server ···································································································· 312

Working with SFTP directories ··························································································································· 314

Working with SFTP files ······································································································································ 314

Displaying help information ······························································································································· 314

Terminating the connection with the SFTP server ····························································································· 315

Configuring the device as an SCP client ··················································································································· 315

Displaying and maintaining SSH ······························································································································· 317

Stelnet configuration examples ··································································································································· 317

Password authentication enabled Stelnet server configuration example ······················································ 317

Publickey authentication enabled Stelnet server configuration example ······················································· 320

vii