H3C S5500-EI Series Security Configuration Manual page 15

Protocols and standards ····································································································································· 283
FIPS compliance ··························································································································································· 283
Configuring IPsec ························································································································································· 283
Implementing ACL-based IPsec ··································································································································· 283
Feature restrictions and guidelines ···················································································································· 284
ACL-based IPsec configuration task list ············································································································· 284
Configuring ACLs ················································································································································ 284
Configuring an IPsec proposal ·························································································································· 286
Configuring an IPsec policy ······························································································································· 287
Applying an IPsec policy group to an interface ······························································································· 291
Configuring the IPsec session idle timeout ········································································································ 291
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 292
Configuring the IPsec anti-replay function ········································································································ 292
Configuring packet information pre-extraction ································································································ 293
Configuring IPsec for IPv6 routing protocols ············································································································· 293
Displaying and maintaining IPsec ······························································································································ 294
IPsec configuration examples······································································································································ 294
IKE-based IPsec tunnel for IPv4 packets configuration example ····································································· 294
IPsec for RIPng configuration example ·············································································································· 297
Configuring IKE ······················································································································································· 301
Overview ······································································································································································· 301
IKE security mechanism ······································································································································· 301
IKE operation ······················································································································································· 301
IKE functions ························································································································································· 302
Relationship between IKE and IPsec ·················································································································· 303
Protocols and standards ····································································································································· 303
IKE configuration task list ············································································································································ 303
Configuring a name for the local security gateway ································································································· 304
Configuring an IKE proposal ······································································································································ 304
Configuring an IKE peer ·············································································································································· 305
Setting keepalive timers ··············································································································································· 307
Setting the NAT keepalive timer ································································································································· 307
Configuring a DPD detector ········································································································································ 308
Disabling next payload field checking ······················································································································ 308
Displaying and maintaining IKE ································································································································· 309
IKE configuration example ·········································································································································· 309
Troubleshooting IKE ····················································································································································· 312
Invalid user ID ······················································································································································ 312
Proposal mismatch ·············································································································································· 312
Failing to establish an IPsec tunnel ···················································································································· 313
ACL configuration error ······································································································································ 313
Configuring SSH2.0 ··············································································································································· 314
Overview ······································································································································································· 314
SSH operation ····················································································································································· 314
SSH connection across VPNs (Available only on the S5500-EI series) ························································· 316
FIPS compliance ··························································································································································· 317
Configuring the switch as an SSH server ·················································································································· 317
SSH server configuration task list ······················································································································ 317
Generating DSA or RSA key pairs ···················································································································· 317
Enabling the SSH server function ······················································································································· 318
Configuring the user interfaces for SSH clients ································································································ 318
Configuring a client public key ·························································································································· 319
Configuring an SSH user ···································································································································· 320
vii