311
IKEv2 configuration task list
Determine the following parameters prior to IKEv2 configuration:
• The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms,
integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide
different levels of protection. A stronger algorithm means better resistance to decryption of
protected data but requires more resources. Typically, the longer the key, the stronger the
algorithm.
• The local and remote identity authentication methods.
ï‚¡ To use the pre-shared key authentication method, you must determine the pre-shared key.
ï‚¡ To use the RSA digital signature authentication method, you must determine the PKI
domain for the local end to use. For information about PKI, see "Configuring PKI."
To configure IKEv2, perform the following tasks:
(Required.) Configuring an IKEv2 profile N/A
(Required.) Configuring an IKEv2 policy N/A
(Optional.) Configuring an IKEv2 proposal
If you specify an IKEv2 proposal in an
IKEv2 policy, you must configure the
IKEv2 proposal.
Configuring an IKEv2 keychain
Required when either end or both ends
use the pre-
shared key authentication
method.
Configure global IKEv2 parameters
• (Optional.) Enabling the cookie challenging feature
• (Optional.) Configuring the IKEv2 DPD feature
• (Optional.) Configuring the IKEv2 NAT keepalive feature
The cookie challenging
effect only on IKEv2 responders.
Configuring an IKEv2 profile
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an
IKEv2 profile, perform the following tasks:
1. Specify the local and remote identity authentication methods.
The local and remote identity authentication methods must both be specified and they can be
different. You can specify only one local identity authentication method and multiple remote
identity authentication methods.
2. Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:
ï‚¡ To use digital signature authentication, configure a PKI domain.
ï‚¡ To use pre-shared key authentication, configure an IKEv2 keychain.
3. Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2
negotiation:
ï‚¡ For digital signature authentication, the device can use an ID of any type. If the local ID is an
IP address that is different from the IP address in the local certificate, the device uses the
FQDN as the local ID. The FQDN is the device name configured by using the sysname
command.
ï‚¡ For pre-shared key authentication, the device can use an ID of any type other than the DN.
4. Configure peer IDs.
To Next Page
Loading...
Need help?
General