257
3. You can specify a priority number for the IKE keychain. To determine the priority of an IKE
keychain:
a. The device examines the existence of the match local address command. An IKE keychain with
the match local address command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority
number has a higher priority.
c. If a tie still exists, the device prefers an IKE keychain configured earlier.
To configure the IKE keychain:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE keychain and
enter its view.
ike keychain keychain-name
[ vpn-instance vpn-name ]
By default, no IKE keychain
exists.
3. Configure a pre-shared key
(Release 2307 and Release
2310).
pre-shared-key { address
{ ipv4-address [ mask | mask-length ] |
ipv6 ipv6-address [ prefix-length ] } |
hostname host-name } key { cipher
cipher-key | simple simple-key }
By default, no pre-shared key is
configured.
For security purposes, all
pre-shared keys, including those
configured in plain text, are
saved in cipher text to the
configuration file.
4. Configure a pre-shared key
(Release 2311P04 and later
versions).
• In non-FIPS mode:
pre-shared-key { address
{ ipv4-address [ mask |
mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname
host-name } key { cipher cipher-key
| simple simple-key }
• In FIPS mode:
pre-shared-key { address
{ ipv4-address [ mask |
mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname
host-name } key [ cipher
cipher-key ]
By default, no pre-shared key is
configured.
For security purposes, all
pre-shared keys, including those
configured in plain text, are
saved in cipher text to the
configuration file.
5. (Optional.) Specify a local
interface or IP address to
which the IKE keychain can
be applied.
match local address { interface-type
interface-number | { ipv4-address |
ipv6 ipv6-address } [ vpn-instance
vpn-name ] }
By default, an IKE keychain can
be applied to any local interface
or IP address.
6. (Optional.) Specify a
priority for the IKE keychain.
priority number The default priority is 100.
Configuring the global identity information
Follow these guidelines when you configure the global identity information for the local IKE:
• The global identity can be used by the device for all IKE SA negotiations, and the local identity (set
by the local-identity command) can be used only by the device that uses the IKE profile.
• When signature authentication is used, you can set any type of the identity information.
To Next Page
Loading...
Need help?
General
