pki whitelist enable (ike)

Usage Scenario

In LTE scenarios, a security gateway and base stations use certificates to negotiate IPsec tunnels. The PKI whitelist on the security gateway can be used to uniformly manage certificates of base stations. If PKI whitelist check is enabled on the security gateway using the pki whitelist enable command, the common names in the certificate subjects of base stations must be imported to the security gateway's PKI whitelist for certificate verification of the base stations.

Configuration Impact

After PKI whitelist check is enabled for an IKE peer using the pki whitelist enable command and the IKE peer receives certificate authentication packets from a remote device, the IKE peer checks whether the common names in the remote certificate subjects match the PKI whitelist. If not, the authentication fails.

After PKI whitelist check is disabled from an IKE peer using the pki whitelist disable command and the IKE peer receives certificate authentication packets from a remote device, the IKE peer does not check whether the common names in the remote certificate subjects match the PKI whitelist.

After the default configuration is restored using the undo pki whitelist { enable | disable } command, the global PKI whitelist check configuration is used.

Precautions

The common names are case-sensitive.

The changes in the PKI whitelist check status of an IKE peer do not affect IPsec tunnels that have been established.