Conguring the IKEv2 Prole
An IKE prole is used in phase two of an initial exchange to determine the authentication prole to be applied for an incoming IKE
session. During a session, it also determines the choice of local identier.
An IKE session has the following criteria:
• Unique IKE prole, set of local-IP address, and remote-IP address.
• Applies parameters to an incoming IPsec connection that is uniquely identied through its match identity criteria.
These IKE prole criteria are based on the IKE identity that is presented by incoming IKE connections, and includes the IP address, fully
qualied domain name (FQDN), and other identities. Once the IKE prole is chosen, it can be used to protect single or all VRF.
For an outgoing connection, the IKE prole is chosen based on the IPsec-Prole used by VTI. The IKE policy will be selected based on
the local IP-address.
The following rules apply to match statements:
• An IKEv2 prole must contain an identity to match; otherwise, the prole is considered incomplete and is not used. An IKEv2
prole can have more than one match identity.
• An IKEv2 VRF will match with the VTI Base VRF.
• When a prole is selected, multiple match statements of the same type are logically ORed, and multiple match statements of
dierent types are logically ANDed.
• Conguration of overlapping proles is considered a misconguration. In the case of multiple prole matches, the rst prole will
be selected.
IKEv2 Option Description
Ikev2 prole <name> Denes an IKEv2 prole name and enters IKEv2 prole conguration mode.
description <description> (Optional) Description text for this prole.
authentication <authentication-
proposal -name>
Authentication Proposal to be used with this IKE prole.
local_identier { address <ipv4-
address>dn | dn <dn-string> | fqdn
<fqdn-string> | key-id <key-id
String> | email <email-string> }
(Optional) Local system ID to be sent with ID payload during negotiation. Allowed formats of this entry are as
follows:
• address is IPv4.
• dn is Distinguished name.
• FQDN is Fully Qualied Domain Name. For example, router1.example.com.
• email is E-mail ID. For example,test@test.com.
• key-id is Key ID.
remote-identier { address
<ipv4-address>dn | dn <dn-
string> | fqdn <fqdn-string> | key-
id <key-id String> | email <email-
string> }
(Optional) Remote system ID that we want to communicate with. Allowed formats of this entry are as follows:
• address is IPv4.
• dn is Distinguished name.
• FQDN is Fully Qualied Domain Name. For example, router1.example.com.
• email is E-mail ID. For example,test@test.com.
• key-id is Key ID.
keepalive <seconds> (Optional) Interval, in seconds, between the IKE Notify messages sent to query peer liveness and thus detect a
dead peer. Default is enabled and the default value is 30 sec. Range should be between 0-3600 seconds. 0
means that keep-alive is not enabled.
lifetime <minutes> (Optional) IKE SA lifetime in minutes. Default is 24 Hours, 1440 minutes. Range should be between 10-1440
minutes.
responder-only (Optional) In responder-only mode, this host acts as the responder and does not initiate negotiation and rekeying.
Otherwise, this host acts as initiator; negotiation starts when the IKE Peer is reachable. By default the router behave
as both initiator and responder.
Router modules
Brocade NetIron MLXe Series Hardware Installation Guide
50 53-1004203-04
To Next Page
Loading...
Need help?
General
