vii
Configuring IPsec ···················································································································································· 270
Overview ······································································································································································· 270
Basic concepts ····················································································································································· 270
IPsec for IPv6 routing protocols ·························································································································· 273
Protocols and standards ····································································································································· 273
FIPS compliance ··························································································································································· 273
Configuring IPsec ························································································································································· 273
Implementing ACL-based IPsec ··································································································································· 273
Feature restrictions and guidelines ···················································································································· 273
ACL-based IPsec configuration task list ············································································································· 274
Configuring ACLs ················································································································································ 274
Configuring an IPsec proposal ·························································································································· 276
Configuring an IPsec policy ······························································································································· 277
Applying an IPsec policy group to an interface ······························································································· 281
Configuring the IPsec session idle timeout ········································································································ 281
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 282
Configuring the IPsec anti-replay function ········································································································ 282
Configuring packet information pre-extraction ································································································ 283
Configuring IPsec for IPv6 routing protocols ············································································································· 283
Displaying and maintaining IPsec ······························································································································ 284
IPsec configuration examples······································································································································ 285
IKE-based IPsec tunnel for IPv4 packets configuration example ····································································· 285
IPsec for RIPng configuration example ·············································································································· 287
Configuring IKE ······················································································································································· 291
Overview ······································································································································································· 291
IKE security mechanism ······································································································································· 291
IKE operation ······················································································································································· 291
IKE functions ························································································································································· 292
Relationship between IKE and IPsec ·················································································································· 293
Protocols and standards ····································································································································· 293
IKE configuration task list ············································································································································ 293
Configuring a name for the local security gateway ································································································· 294
Configuring an IKE proposal ······································································································································ 294
Configuring an IKE peer ·············································································································································· 295
Setting keepalive timers ··············································································································································· 297
Setting the NAT keepalive timer ································································································································· 297
Configuring a DPD detector ········································································································································ 298
Disabling next payload field checking ······················································································································ 298
Displaying and maintaining IKE ································································································································· 299
IKE configuration example ·········································································································································· 299
Troubleshooting IKE ····················································································································································· 302
Invalid user ID ······················································································································································ 302
Proposal mismatch ·············································································································································· 302
Failing to establish an IPsec tunnel ···················································································································· 303
ACL configuration error ······································································································································ 303
Configuring SSH2.0 ··············································································································································· 304
Overview ······································································································································································· 304
SSH operation ····················································································································································· 304
SSH connection across VPNs ····························································································································· 306
FIPS compliance ··························································································································································· 307
Configuring the switch as an SSH server ·················································································································· 307
SSH server configuration task list ······················································································································ 307
Generating local key pairs ································································································································· 307
To Next Page
Loading...
