vii
Protocols and standards ····································································································································· 270
FIPS compliance ··························································································································································· 270
Configuring IPsec ························································································································································· 270
Implementing ACL-based IPsec ··································································································································· 270
Feature Restrictions ·············································································································································· 270
ACL-based IPsec configuration task list ············································································································· 271
Configuring ACLs ················································································································································ 271
Configuring an IPsec proposal ·························································································································· 273
Configuring an IPsec policy ······························································································································· 274
Applying an IPsec policy group to an interface ······························································································· 278
Configuring the IPsec session idle timeout ········································································································ 278
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 279
Configuring the IPsec anti-replay function ········································································································ 279
Configuring packet information pre-extraction ································································································ 280
Configuring IPsec for IPv6 routing protocols ············································································································· 280
Displaying and maintaining IPsec ······························································································································ 281
IPsec configuration examples······································································································································ 281
IKE-based IPsec tunnel for IPv4 packets configuration example ····································································· 281
IPsec for RIPng configuration example ·············································································································· 284
Configuring IKE ······················································································································································· 288
FIPS compliance ··························································································································································· 288
Overview ······································································································································································· 288
IKE security mechanism ······································································································································· 288
IKE operation ······················································································································································· 289
IKE functions ························································································································································· 289
Relationship between IKE and IPsec ·················································································································· 290
Protocols and standards ····································································································································· 290
IKE configuration task list ············································································································································ 290
Configuring a name for the local security gateway ································································································· 291
Configuring an IKE proposal ······································································································································ 291
Configuring an IKE peer ·············································································································································· 292
Setting keepalive timers ··············································································································································· 294
Setting the NAT keepalive timer ································································································································· 294
Configuring a DPD detector ········································································································································ 295
Disabling next payload field checking ······················································································································ 295
Displaying and maintaining IKE ································································································································· 296
IKE configuration example ·········································································································································· 296
Troubleshooting IKE ····················································································································································· 299
Invalid user ID ······················································································································································ 299
Proposal mismatch ·············································································································································· 299
Failing to establish an IPsec tunnel ···················································································································· 300
ACL configuration error ······································································································································ 300
Configuring SSH2.0 ··············································································································································· 301
Overview ······································································································································································· 301
SSH operation ····················································································································································· 301
SSH connection across VPNs ····························································································································· 303
FIPS compliance ··························································································································································· 304
Configuring the switch as an SSH server ·················································································································· 304
SSH server configuration task list ······················································································································ 304
Generating DSA or RSA key pairs ···················································································································· 304
Enabling the SSH server function ······················································································································· 305
Configuring the user interfaces for SSH clients ································································································ 305
Configuring a client public key ·························································································································· 306