71
3. Create an IKEv2 peer and
enter IKEv2 peer view.
peer
name
By default, no IKEv2 peers exist.
4. Configure the information
for identifying the IKEv2
peer.
• To configure a host name for
the peer:
hostname host-name
• To configure a host IP
address or address range for
the peer:
address { ipv4-address [
mask | mask-length ] | ipv6
ipv6-address [ prefix-length ]
}
• To configure an ID for the
peer:
identity { address {
ipv4-address | ipv6 {
ipv6-address } } | fqdn
fqdn-name | email
email-string | key-id
key-id-string }
By default, no hostname, host IP
address, address range, or identity
information is configured for an
IKEv2 peer.
You must configure different IP
addresses/address ranges for
different peers.
5. Configure a pre-shared key
for the peer.
pre-shared-key
[
local
|
remote
]
{
ciphertext
|
plaintext
} string
By default, an IKEv2 peer does not
have a pre-shared key.
Configure global IKEv2 parameters
Enabling the cookie challenging feature
Enable cookie challenging on responders to protect them against DoS attacks that use a large
number of source IP addresses to forge IKE_SA_INIT requests.
To enable cookie challenging:
1. Enter system view.
system-view
N/A
2. Enable cookie challenging.
ikev2 cookie-challenge
number
By default, IKEv2 cookie
challenging is disabled..
Configuring the IKEv2 DPD feature
IKEv2 DPD detects dead IKEv2 peers in periodic or on-demand mode.
Periodic DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages at regular
intervals.
On-demand DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages before
sending data.
To Next Page
Loading...
