Match Vrf (Ikev2 Policy View) - H3C MSR Series Command Reference Manual

•
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet
address as the peer ID for IKEv2 profile matching. The value range for the mask-length
argument is 0 to 32.
•
address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the
peer ID for IKEv2 profile matching. The end address must be higher than the start address.
•
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet
address as the peer ID for IKEv2 profile matching. The value range for the prefix-length
argument is 0 to 128.
•
address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as
the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
•
fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The
fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
•
email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The
email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by
RFC 822, such as sec@abc.com.
•
key-id key-id: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The key-id
argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific
string for doing proprietary types of identification.
Usage guidelines
The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a
match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. If you have
configured the match local address and match vrf commands, the IKEv2 profile must also match
the specified local interface or address and the specified VPN instance.
To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two
or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2
profile is selected for IKEv2 negotiation is unpredictable.
You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a
higher priority.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Configure the IKEv2 profile to match the peer ID that is the FQDN name www.test.com.
[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com
# Configure the IKEv2 profile to match the peer ID that is the IP address 10.1.1.1.
[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1
Related commands
identity local
match local address
match vrf

match vrf (IKEv2 policy view)

Use match vrf to specify a VPN instance that an IKEv2 policy matches.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
642