HP MSR Series Command Reference Manual page 367

Default
No PKI domain is specified for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If you
do not specify this argument, all PKI domains configured on the device are used for enrollment,
authentication, certificate issuing, validation, and signature.
Usage guidelines
You can specify up to 6 PKI domains for an IKE profile.
IKE can use the PKI domain to automatically obtain the CA certificate, and then request a local certificate.
If the CA certificate exists, the IKE requests a local certificate.
On the initiator: If the IKE profile has a PKI domain and the automatic request of certificate is
•
configured for the PKI domain, the initiator automatically obtains the CA certificate. If the IKE profile
has no PKI domain, you must manually obtain the CA certificate.
On the responder: During the IKE negotiation phase 1:
•
If main mode is used, the responder does not automatically obtain the CA certificate. You must
manually request the CA certificate.
If aggressive mode is used, the responder does not automatically obtain the CA certificate
unless a matching IKE profile is found, an IKE domain is specified in the profile, and the
automatic request of certificate is configured for the PKI domain.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
authentication-method
•
pki domain
•
dh
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Use undo dh to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 }
undo dh
In FIPS mode:
353