65
(Required.) Configuring an IKEv2 profile N/A
(Required.) Configuring an IKEv2 policy N/A
(Optional.) Configuring an IKEv2 proposal
If you specify an IKEv2 proposal in an
IKEv2 policy, you must configure the
IKEv2 proposal.
Configuring an IKEv2 keychain
Required when either end or both ends
use the pre-shared key authentication
method.
Configure global IKEv2 parameters
• (Optional.) Enabling the cookie challenging feature
• (Optional.) Configuring the IKEv2 DPD feature
• (Optional.) Configuring the IKEv2 NAT keepalive feature
• (Optional.) Configuring IKEv2 address pools
The cookie challenging feature takes
effect only on IKEv2 responders.
Configuring an IKEv2 profile
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an
IKEv2 profile, perform the following tasks:
1. Specify the local and remote identity authentication methods.
The local and remote identity authentication methods must both be specified and they can be
different. You can specify only one local identity authentication method and multiple remote
identity authentication methods.
2. Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:
ï‚¡ To use digital signature authentication, configure a PKI domain.
ï‚¡ To use pre-shared key authentication, configure an IKEv2 keychain.
3. Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2
negotiation:
ï‚¡ For digital signature authentication, the device can use an ID of any type. If the local ID is an
IP address that is different from the IP address in the local certificate, the device uses the
FQDN as the local ID. The FQDN is the device name configured by using the sysname
command.
ï‚¡ For pre-shared key authentication, the device can use an ID of any type other than the DN.
4. Configure peer IDs.
The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a
match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2
profiles will be compared in descending order of their priorities.
5. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to
the specified interface or IP address. For this task, specify the local address configured in IPsec
policy or IPsec policy template view (using the local-address command). If no local address is
configured, specify the IP address of the interface that uses the IPsec policy.
To Next Page
Loading...
Need help?
General
