Protocols and standards ····································································································································· 283
FIPS compliance ··························································································································································· 283
Configuring IPsec ························································································································································· 283
Implementing ACL-based IPsec ··································································································································· 283
Configuring ACLs ················································································································································ 284
Configuring an IPsec proposal ·························································································································· 286
Configuring an IPsec policy ······························································································································· 287
Displaying and maintaining IPsec ······························································································································ 294
IPsec configuration examples······································································································································ 294
Configuring IKE ······················································································································································· 301
Overview ······································································································································································· 301
IKE security mechanism ······································································································································· 301
IKE operation ······················································································································································· 301
IKE functions ························································································································································· 302
Protocols and standards ····································································································································· 303
IKE configuration task list ············································································································································ 303
Configuring an IKE proposal ······································································································································ 304
Configuring an IKE peer ·············································································································································· 305
Setting keepalive timers ··············································································································································· 307
Setting the NAT keepalive timer ································································································································· 307
Configuring a DPD detector ········································································································································ 308
Displaying and maintaining IKE ································································································································· 309
IKE configuration example ·········································································································································· 309
Troubleshooting IKE ····················································································································································· 312
Invalid user ID ······················································································································································ 312
Proposal mismatch ·············································································································································· 312
ACL configuration error ······································································································································ 313
Configuring SSH2.0 ··············································································································································· 314
Overview ······································································································································································· 314
SSH operation ····················································································································································· 314
FIPS compliance ··························································································································································· 317
Configuring a client public key ·························································································································· 319
Configuring an SSH user ···································································································································· 320
vii