221
• The local and remote identity authentication methods. To use the pre-shared key authentication
method, you must determine the pre-shared key. To use the RSA digital signature
authentication method, you must determine the PKI domain for the local end to use. For
information about configuring PKI, see "Configuring PKI."
• The pre-shared key or the PKI domain of the certificate. For more information about PKI
configuration, see "Configuring PKI."
To configure IKEv2:
Task Remarks
Configuring global IKEv2
parameters
Configuring the cookie challenging
function
Optional.
Effective only on an IKEv2
responder.
Configuring the IKEv2 DPD function
Optional.
Setting limits on the number of IKEv2
SAs
Optional.
Configuring an address pool for
assigning addresses to initiators
Optional.
Configuring an IKEv2 proposal
Optional.
Configuring an IKEv2 policy
Optional.
Configuring an IKEv2 keyring
Required when either end or
both ends use the pre-shared
key authentication method.
Configuring an IKEv2 profile
Required.
Configuring global IKEv2 parameters
Configuring the cookie challenging function
Enable the cookie challenging function on intended responders to protect them against DoS attacks
that use a large number of source IP addresses to forge IKE_SA_INIT requests.
To configure the cookie challenging function:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Configure the cookie
challenging function.
ikev2 cookie-challenge
number Disabled by default.
Configuring the IKEv2 DPD function
The IKEv2 DPD function detects dead IKE peers in on-demand or periodic mode.
In periodic mode, the DPD function sends DPD hellos to the peer at the specified interval to detect
the liveliness of the peer.
In on-demand mode, the DPD function works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was
received from the peer.
To Next Page
Loading...
Need help?
General
