352
Step Command Remarks
feature.
Configuring an IKEv2 policy
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP
address of the local security gateway as the matching criterion.
• If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of
the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an
incomplete proposal, the IKE_SA_INIT exchange fails.
• If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.
The device matches IKEv2 policies in the descending order of their priorities. To determine the
priority of an IKEv2 policy:
1. First, the device examines the existence of the match local address command. An IKEv2
policy with the match local address command configured has a higher priority.
2. If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority
number has a higher priority.
3. If a tie still exists, the device prefers an IKEv2 policy configured earlier.
To configure an IKEv2 policy:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IKEv2 policy and
enter IKEv2 policy view.
ikev2 policy
policy-name
By default, an IKEv2 policy named
default
exists.
3. Specify the local interface or
address used for IKEv2
policy matching.
match local address
{ interface-type interface-number |
ipv4-address |
ipv6
ipv6-address }
By default, no local interface or
address is used for IKEv2 policy
matching, and the policy matches
any local interface or address.
4. Specify a VPN instance for
IKEv2 policy matching.
match vrf
{
name
vrf-name |
any
}
By default, no VPN instance is
specified for IKEv2 policy
matching. The IKEv2 policy
matches all local addresses in the
public network.
5. Specify an IKEv2 proposal
for the IKEv2 policy.
proposal
proposal-name
By default, no IKEv2 proposal is
specified for an IKEv2 policy.
6. Specify a priority for the
IKEv2 policy.
priority
priority
By default, the priority of an IKEv2
policy is 100.
Configuring an IKEv2 proposal
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the
encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm
specified earlier has a higher priority.
A complete IKEv2 proposal must have at least one set of security parameters, including one
encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a
higher priority.
To Next Page
Loading...
Need help?
General