225
Step Command Remarks
4. Configure a host name, host
IP address, address range,
or identity information for
the IKEv2 peer.
• To configure a host name for
the peer:
hostname host-name
• To configure a host IP
address or address range for
the peer:
address { ipv4-address
[ mask-length ] | ipv6
ipv6-address
[ prefix-length ] }
• To configure identity
information for the peer:
identity { address
{ ipv4-address | ipv6
ipv6-address} | email
email-string | fqdn
fqdn-name | key-id key-id }
Configure one of them.
By default, an IKEv2 peer has no
hostname, host IP address,
address range or identity
information.
For the device to work as an
initiator, you must configure the
peer's host name, host IP
address, or address range. For
the device to work as an
responder, you must configure the
peer's host IP address, address
range, or ID.
You must configure different
identity information for different
peers.
5. Configure a pre-shared key
for the peer.
pre-shared-key
[
local
|
remote
]
[
cipher
|
simple
] key
By default, an IKEv2 peer has no
pre-shared key.
Configuring an IKEv2 profile
An IKEv2 profile provides the IKEv2 SA parameters that are not negotiated during IKEv2 negotiation,
such as the identity information of the two peers, the authentication method, the matching criterion
used to search for an IKEv2 profile, DPD parameters, and IKEv2 SA lifetime.
An IKEv2 profile is used by an IPsec policy or IPsec profile. You must configure an IKEv2 profile on
both the IKEv2 negotiation initiator and responder.
To configure an IKEv2 profile:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IKEv2 profile
and enter IKEv2 profile
view.
ikev2 profile
profile-name By default, no IKEv2 profile exists.
3. Configure the local or
remote identity
authentication method.
authentication
{
local
|
remote
}
{
pre-share
|
rsa-sig
}
Optional.
By default, both the local end and
remote end use the pre-shared key
authentication method.
You can specify only one local
identity authentication method but
can specify multiple remote identity
authentication methods.
4. Configure the local
identity information.
identity local
{
address
{ ipv4-address |
ipv6
ipv6-address }
|
dn
|
email
email-string |
fqdn
fqdn-name |
key-id
key-id }
By default, no local identity
information is configured.
With the RSA digital signature
authentication method, you can
configure any type of identity
information. With the pre-shared key
authentication method, you cannot
configure a DN as the identity
information.
To Next Page
Loading...
Need help?
General
