254
8. Specify a priority number for the IKE profile. To determine the priority of an IKE profile:
a. First, the device examines the existence of the match local address command. An IKE profile
with the match local address command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority
number has a higher priority.
c. If a tie still exists, the device prefers an IKE profile configured earlier.
To configure an IKE profile:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE profile and
enter its view.
ike profile profile-name
By default, no IKE profile is
configured.
3. Configure a peer ID.
match remote { certificate policy-name
| identity { address { { ipv4-address
[ mask | mask-length ] | range
low-ipv4-address high-ipv4-address } |
ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address
high-ipv6-address } } [ vpn-instance
vpn-name ] | fqdn fqdn-name |
user-fqdn user-fqdn-name } }
By default, an IKE profile has no
peer ID.
Each of the two peers must have
at least one peer ID configured.
4. Specify the keychain for
pre-shared key
authentication or the PKI
domain used to request a
certificate for digital
signature authentication.
• To specify the keychain for
pre-shared key authentication:
keychain keychain-name
• To specify the PKI domain used to
request a certificate for digital
signature authentication:
certificate domain domain-name
Configure at least one
command as required.
By default, no IKE keychain or
PKI domain is specified for an
IKE profile.
5. Specify the IKE negotiation
mode for phase 1.
• In non-FIPS mode:
exchange-mode { aggressive |
main }
• In FIPS mode:
exchange-mode main
By default, the main mode is
used during IKE negotiation
phase 1.
6. Specify the IKE proposals for
the IKE profile to reference.
proposal proposal-number&<1-6>
By default, an IKE profile
references no IKE proposals
and uses the IKE proposals
configured in system view for
IKE negotiation.
7. Configure the local ID.
local-identity { address { ipv4-address
| ipv6 ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
By default, no local ID is
configured for an IKE profile,
and an IKE profile uses the local
ID configured in system view. If
the local ID is not configured in
system view, the IKE profile uses
the IP address of the interface to
which the IPsec policy or IPsec
policy template is applied as
the local ID.
To Next Page
Loading...
