Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Create an IKE profile and
enter its view.
3.
Configure a peer ID.
4.
Specify the keychain for
pre-shared key
authentication or the PKI
domain used to request a
certificate for digital
signature authentication.
5.
Specify the IKE negotiation
mode for phase 1.
6.
Specify the IKE proposals
for the IKE profile to
reference.
7.
Configure the local ID.
8.
(Optional.) Configure IKE
DPD.
9.
(Optional.) Specify the local
interface or IP address to
which the IKE profile can be
applied.
Command
system-view
ike profile profile-name
match remote { certificate
policy-name | identity { address
{ { ipv4-address [ mask | mask-length ]
| range low-ipv4-address
high-ipv4-address } | ipv6
{ ipv6-address [ prefix-length ] | range
low-ipv6-address
high-ipv6-address } } [ vpn-instance
vpn-name ] | fqdn fqdn-name |
user-fqdn user-fqdn-name } }
•
To specify the keychain for
pre-shared key authentication:
keychain keychain-name
•
To specify the PKI domain used
to request a certificate for digital
signature authentication:
certificate domain
domain-name
•
In non-FIPS mode:
exchange-mode { aggressive |
main }
•
In FIPS mode:
exchange-mode main
proposal proposal-number&<1-6>
local-identity { address
{ ipv4-address | ipv6 ipv6-address } |
dn | fqdn [ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
dpd interval interval-seconds [ retry
seconds ] { on-demand | periodic }
match local address { interface-type
interface-number | { ipv4-address |
ipv6 ipv6-address } [ vpn-instance
vpn-name ] }
292
Remarks
N/A
By default, no IKE profile is
configured.
By default, an IKE profile has
no peer ID.
Each of the two peers must
have at least one peer ID
configured.
Configure at least one
command as required.
By default, no IKE keychain or
PKI domain is specified for an
IKE profile.
By default, the main mode is
used during IKE negotiation
phase 1.
By default, an IKE profile
references no IKE proposals
and uses the IKE proposals
configured in system view for
IKE negotiation.
By default, no local ID is
configured for an IKE profile,
and an IKE profile uses the
local ID configured in system
view. If the local ID is not
configured in system view, the
IKE profile uses the IP address
of the interface to which the
IPsec policy or IPsec policy
template is applied as the local
ID.
By default, the IKE DPD
feature is not configured for an
IKE profile and an IKE profile
uses the DPD settings
configured in system view. If
the IKE DPD feature is not
configured in system either,
the device does not perform
dead IKE peer detection.
By default, an IKE profile can
be applied to any local
interface or IP address.
Advertisement
Table of Contents
Troubleshooting
