226
Step Command Remarks
5. Specify a keyring.
keyring
keyring-name
Required when either or both peers
use the pre-shared key
authentication method.
By default, an IKEv2 profile
references no keyring.
An IKEv2 profile can reference only
one keyring.
6. Specify the IKEv2
profile matching criteria.
match
{
address local
{ ipv4-address |
interface
interface-type interface-number |
ipv6
ipv6-address
} |
certificate
access-control-policy
string |
identity remote
{
address
{ ipv4-address
[
mask-length
] |
ipv6
ipv6-address [ mask
] } |
email
email-string |
fqdn
fqdn-name |
key-id
key-id } }
Required for the device to work as a
responder. When working as the
responder, the device uses these
criteria to search for an IKEv2 profile.
An initiator does not require this
configuration. It uses the IKEv2
profile specified in the IPsec policy.
By default, no IKEv2 profile matching
criterion is configured.
If you specify multiple matching
criteria for an IKEv2 profile, the
match must meet one criterion of
each specified type.
7. Specify the PKI
domains.
pki domain
domain-name [
sign
|
verify
]
If the local end uses the RSA digital
signature authentication method,
you must configure a PKI domain for
certificate signing on the local end
and a PKI domain for certificate
verification on the remote end.
If the remote end uses the RSA
digital signature authentication
method, you must configure a PKI
domain for certificate signing on the
remote end and a PKI domain for
certificate verification on the local
end.
By default, the existing PKI domains
in the system are used to
authenticate certificates.
8. Configure the DPD
function.
dpd
interval
{
on-demand |
periodic
}
Optional.
By default, IKEv2 DPD is disabled.
9. Set the IKEV2 SA
lifetime.
lifetime
seconds
Optional.
86400 seconds by default.
10. Set the IKEv2 NAT
keepalive interval.
nat keepalive
seconds
Optional.
10 seconds by default.
11. Enable the device to
accept the IP address
allocation requests from
IKEv2 negotiation
initiators.
client configuration address
respond
Optional.
By default, the device does not
accept the IP address allocation
requests from initiators.
This configuration is only intended
for an IKEv2 negotiation responder.
12. Enable the device to
send IP address
allocation requests.
connect auto
Optional.
By default, the device does not send
IP address allocation requests.
This configuration is only intended
for an IKEv2 negotiation initiator.
To Next Page
Loading...
Need help?
General
