284
Tasks at a glance Remarks
(Optional.) Configuring an IKE proposal
Required when the IKE profile needs to
reference IKE proposals.
(Optional.) Configuring an IKE keychain
Required when pre-shared authentication is
used in IKE negotiation phase 1.
(Optional.) Configuring the global identity information N/A
(Optional.) Configuring the IKE keepalive function N/A
(Optional.) Configuring the IKE NAT keepalive function N/A
(Optional.) Configuring IKE DPD N/A
(Optional.) Enabling invalid SPI recovery N/A
(Optional.) Setting the maximum number of IKE SAs N/A
(Optional.) Configuring SNMP notifications for IKE N/A
Configuring an IKE profile
An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE profile,
you can do the following:
1. Configure peer IDs. When an end needs to select an IKE profile, it compares the received peer ID
with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching
peer ID for IKE negotiation.
2. Configure the IKE keychain or PKI domain for the IKE proposals to use:
{ To use digital signature authentication, configure a PKI domain.
{ To use pre-shared key authentication, configure an IKE keychain.
3. Specify the negotiation mode (main or aggressive) that the device uses as the initiator. When the
device acts as the responder, it uses the IKE negotiation mode of the initiator.
4. Specifies the IKE proposals that the device can use as the initiator. An IKE proposal specified
earlier has a higher priority. When the device acts as the responder, it uses the IKE proposals
configured in system view to match the IKE proposals received from the initiator. If a match is not
found, the negotiation fails.
5. Configure the local ID, the ID that the device uses to identify itself to the peer during IKE
negotiation:
{ For digital signature authentication, the device can use any type of ID. If the local ID is an IP
address that is different from the IP address in the local certificate, the device uses the FQDN
(the device name configured by using the sysname command) instead.
{ For pre-shared key authentication, the device can use any type of ID other than the DN.
6. Configure the IKE DPD function to detect dead IKE peers. You can also configure this function in
system view. The IKE DPD settings configured in the IKE profile takes precedence over those
configured in system view.
7. Specify a local interface or IP address for the IKE profile so the profile can be applied only to the
specified interface or IP address. For this task, specify the local address configured in IPsec policy
or IPsec policy template view (using the local-address command). If no local address is configured,
specify the IP address of the interface that references the IPsec policy.
To Next Page
Loading...
Need help?
General
