354 
Step Command Remarks 
group24
 | 
group5
 | 
group19
 | 
group20
 } * 
In FIPS mode: 
dh
 { 
group14
 | 
group19
 | 
group20
 } * 
 
Configuring an IKEv2 keychain 
An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation. 
An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an 
asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host 
name, IP address or address range, or ID). 
An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching 
criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the 
matching criterion to search for a peer. 
To configure an IKEv2 keychain: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Create an IKEv2 keychain 
and enter IKEv2 keychain 
view. 
ikev2 keychain
 keychain-name
 
By default, no IKEv2 keychains 
exist. 
3.  Create an IKEv2 peer and 
enter IKEv2 peer view. 
peer
 name  By default, no IKEv2 peers exist. 
4.  Configure the information 
for identifying the IKEv2 
peer. 
•  To configure a host name for 
the peer: 
hostname host-name 
•  To configure a host IP 
address or address range for 
the peer: 
address { ipv4-address 
[ mask | mask-length ] | ipv6 
ipv6-address 
[ prefix-length ] } 
•  To configure an ID for the 
peer: 
identity { address 
{ ipv4-address | ipv6 
{ ipv6-address } } | fqdn 
fqdn-name | email 
email-string | key-id 
key-id-string } 
By default, no hostname, host IP 
address, address range, or identity 
information is configured for an 
IKEv2 peer. 
You must configure different IP 
addresses/address ranges for 
different peers. 
5.  Configure a pre-shared key 
for the peer. 
pre-shared-key
 [ 
local
 | 
remote
 ] 
{ 
ciphertext
 | 
plaintext
 } string
 
By default, an IKEv2 peer does not 
have a pre-shared key.