68
24. (Optional.) Configure
the DPD feature for the
IKEv2 profile.
dpd interval
interval [
retry
seconds ] {
on-demand
|
periodic
}
By default, DPD is disabled for an
IKEv2 profile. The global DPD
settings in system view are used. If
DPD is also disabled in system view,
the device does not perform DPD.
25. (Optional.) Specify an
inside VPN instance for
the IKEv2 profile.
inside-vrf
vrf-name
By default, no inside VPN instance is
specified for an IKEv2 profile. The
internal and external networks are in
the same VPN instance. The device
forwards protected data to this VPN
instance.
26. (Optional.) Set the
IKEv2 NAT keepalive
interval.
nat-keepalive
seconds
By default, the global IKEv2 NAT
keepalive setting is used.
27. (Optional.) Enable the
configuration exchange
feature.
config-exchange
{
request
|
set
{
accept
|
send
} }
By default, all configuration
exchange options are disabled.
28. (Optional.) Enable AAA
authorization.
aaa authorization domain
domain-name
username
user-name
By default, AAA authorization is
disabled for IKEv2.
Configuring an IKEv2 policy
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP
address of the local security gateway as the matching criterion.
If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of
the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an
incomplete proposal, the IKE_SA_INIT exchange fails.
If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.
The device matches IKEv2 policies in the descending order of their priorities. To determine the
priority of an IKEv2 policy:
1. First, the device examines the existence of the match local address command. An IKEv2
policy with the match local address command configured has a higher priority.
2. If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority
number has a higher priority.
3. If a tie still exists, the device prefers an IKEv2 policy configured earlier.
To configure an IKEv2 policy:
1. Enter system view.
system-view
N/A
2. Create an IKEv2 policy and
enter IKEv2 policy view.
ikev2 policy
policy-name
By default, an IKEv2 policy named
default
exists.
3. Specify the local interface or
address used for IKEv2
policy matching.
match local address
{ interface-type interface-number |
{ { ipv4-address |
ipv6
ipv6-address } } }
By default, no local interface or
address is used for IKEv2 policy
matching, and the policy matches
any local interface or address.
To Next Page
Loading...
Need help?
General
