H3C MSR Series Command Reference Manual page 578

Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the remote address or host name of an IPv6 IPsec tunnel. To specify the remote
address or host name of an IPv4 IPsec tunnel, do not specify this keyword.
hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host
name can be resolved to an IP address by the DNS server.
ipv4-address: Specifies a remote IPv4 address.
ipv6-address: Specifies a remote IPv6 address.
Usage guidelines
This remote IP address configuration is required on the IKE negotiation initiator and optional on the
responder if the responder uses an IPsec policy template.
A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address
rather than a remote host name for the manual IPsec policy.
If you configure a remote host name, make sure the local end can always resolve the host name into
the latest IP address of the remote end.
•
If a DNS server is used for resolution, the local end queries the remote IP address again from
the DNS server after the previously cached remote IP address expires. This mechanism
ensures that the local end can always obtain the latest remote IP address.
•
If a static DNS entry is used for resolution, you must reconfigure the remote-address
command whenever the remote IP address changes. Without the reconfiguration, the local end
cannot obtain the latest remote IP address.
For example, the local end has a static DNS entry which maps the host name test to the IP address
1.1.1.1. Configure the following commands:
# Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test
# Change the IP address for the host test to 2.2.2.2.
[Sysname] ip host test 2.2.2.2
In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local
end can obtain the latest IP address of the remote host.
# Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname -ipsec-policy-isakmp-policy1-1] remote-address test
Examples
# Specify the remote IP address 10.1.1.2 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 manual
[Sysname-ipsec-policy-manual-policy1-10] remote-address 10.1.1.2
Related commands
ip host (see Layer 3—IP Services Commands Reference)
555