Match Remote - H3C MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
Usage guidelines
Use this command to specify which address or interface can use the IKE profile for IKE negotiation.
Specify the local address configured in IPsec policy or IPsec policy template view (using the
local-address command) for this command. If no local address is configured, specify the IP address
of the interface that uses the IPsec policy.
An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a
higher priority, you can configure this command for the profile. For example, suppose you configured
IKE profile A before configuring IKE profile B, and you configured the match remote identity
address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity
address range 2.2.2.1 2.2.2.10 command for IKE profile B. For the local interface with the IP
address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE profile A is preferred because IKE profile A
was configured earlier. To use IKE profile B, you can use this command to restrict the application
scope of IKE profile B to address 3.3.3.3.
Examples
# Create the IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Apply the IKE profile prof1 to the interface with the IP address 2.2.2.2 in the VPN instance vpn1.
[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1
match remote
Use match remote to configure a peer ID for IKE profile matching.
Use undo match remote to delete a peer ID for IKE profile matching.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ]
| range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range
low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name |
user-fqdn user-fqdn-name } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask |
mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name
| user-fqdn user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile
matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified
information is configured on the peer by using the local-identity command.
•
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet
address as the peer ID for IKE profile matching. The mask-length argument is in the range of 0
to 32.
602
Advertisement
Table of Contents
