363
Usage guidelines
The global identity can be used by the device for all IKE SA negotiations. The local identity (set by the
local-identity command) can be used only by the device that uses the IKE profile.
In pre-shared key authentication, you cannot set the DN as the identity.
In signature authentication:
• You can set any type of identity information.
• The ike signature-identity from-certificate command sets the local device to always use the identity
information obtained from the local certificate.
• If the ike signature-identity from-certificate command is not set, the local-identity command
configuration, if configured, takes precedence over the ike identity command configuration.
Examples
# Set the IP address 2.2.2.2 as the identity.
<sysname> system-view
[sysname] ike identity address 2.2.2.2
Related commands
• local-identity
• ike signature-identity from-certificate
ike invalid-spi-recovery enable
Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ike invalid-spi-recovery enable to restore the default.
Syntax
ike invalid-spi-recovery enable
undo ike invalid-spi-recovery enable
Default
SPI recovery is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One
peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it
cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI
invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA
is available, the notification is not sent. The originating peer continues sending the data by using the
IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that
an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the
IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
To Next Page
Loading...
