Configuring IPsec ···················································································································································· 270
Overview ······································································································································································· 270
Basic concepts ····················································································································································· 270
Protocols and standards ····································································································································· 273
FIPS compliance ··························································································································································· 273
Configuring IPsec ························································································································································· 273
Implementing ACL-based IPsec ··································································································································· 273
Configuring ACLs ················································································································································ 274
Configuring an IPsec proposal ·························································································································· 276
Configuring an IPsec policy ······························································································································· 277
Displaying and maintaining IPsec ······························································································································ 284
IPsec configuration examples······································································································································ 285
Configuring IKE ······················································································································································· 291
Overview ······································································································································································· 291
IKE security mechanism ······································································································································· 291
IKE operation ······················································································································································· 291
IKE functions ························································································································································· 292
Protocols and standards ····································································································································· 293
IKE configuration task list ············································································································································ 293
Configuring an IKE proposal ······································································································································ 294
Configuring an IKE peer ·············································································································································· 295
Setting keepalive timers ··············································································································································· 297
Setting the NAT keepalive timer ································································································································· 297
Configuring a DPD detector ········································································································································ 298
Displaying and maintaining IKE ································································································································· 299
IKE configuration example ·········································································································································· 299
Troubleshooting IKE ····················································································································································· 302
Invalid user ID ······················································································································································ 302
Proposal mismatch ·············································································································································· 302
ACL configuration error ······································································································································ 303
Configuring SSH2.0 ··············································································································································· 304
Overview ······································································································································································· 304
SSH operation ····················································································································································· 304
SSH connection across VPNs ····························································································································· 306
FIPS compliance ··························································································································································· 307
Generating local key pairs ································································································································· 307
vii