375
low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn
user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile
matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified information
is configured on the peer by using the local-identity command.
• address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address
as the peer ID for IKE profile matching. The mask-length argument is in the range of 0 to 32.
• address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID
for IKE profile matching. The end address must be higher than the start address.
• address ipv6 ipv6-address [ prefix-length ] : Uses an IPv6 host address or an IPv6 subnet address
as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128.
• address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the
peer ID for IKE profile matching. The end address must be higher than the start address.
• fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name
argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
• user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The
user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com.
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the specified address or addresses
belong. The vpn-name argument is a case-sensitive string of 1 to 31 characters. If the address or
addresses belong to the public network, do not specify this option.
Usage guidelines
When an end needs to select an IKE profile, it matches the peer's ID received against the peer IDs of its
local IKE profiles. If a match is found, it uses the IKE profile with the peer ID for IKE negotiation.
Each IKE profile must have at least one peer ID configured.
To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or
more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is
selected for IKE negotiation is unpredictable.
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Configure a peer ID with the identity type of FQDN and the value of www.test.com.
[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com
To Next Page
Loading...
Need help?
General
