Configuring an IKE Peer
Through IKE peers, a series of attribute data can be defined to describe parameters required by IKE negotiation, including quoting IKE proposals, and configuring the negotiation mode, NAT traversal, and IKE version.
Context
During the configuration of an IKE peer, note the following:
When IPsec is deployed, the path from the local to the peer and its return path can be the same or different. If they are different, they must work in load balancing mode.
If the pre-shared key authentication mode is adopted, you need to configure the same authentication key for both ends of the IPsec tunnel.
Procedure
- Run system-view
The system view is displayed.
- Run ike peer peer-name
An IKE peer is created and the IKE peer view is displayed.
- Run ike-proposal { proposal-number | default }
The IKE proposal is applied in the IKE peer.
If the default parameter in the format is used, the default IKE proposal is used. The system provides three default IKE proposals. If no IKE proposal is created, defult1, eflut2, and deflut3 are used. The default IKE proposals contain insecure algorithms. To ensure better security, you are advised not to use the default IKE proposals.
- Run local-id-type { ip | fqdn | dn | user-fqdn [ user-fqdn ] }
An IKE peer ID type is set.
- Configure the ID of the IKE peer.
If the ID type is configured as the IP address format, run remote-address [ authentication-address | vpn-instance vpn-instance-name ] remote-low-address [ remote-high-address ]
The IP address or IP address segment of the peer end is specified.
authentication-address indicates the authentication address of the peer end. authentication-address is valid only when the ID type is configured as the IP address format.
If the IKE peer is referred to by the IPsec policy template, the IP address of the peer end can be also specified as an IP address segment.
If the ID type is configured as the fqdn, perform the following operations:
Run remote-id remote-id
The ID of the peer is specified.
Run remote-address [ authentication-address | vpn-instance vpn-instance-name ] remote-low-address [ remote-high-address ]
The IP address or IP address segment of the peer end is specified.
If the IKE peer is referred to by the IPsec policy, the IP address of the peer end must be specified, but cannot be specified as an IP address segment.
If the IKE peer is referred to by the IPsec policy template, the IP address of the peer end may not be specified, or the IP address of the peer end may not be specified as an IP address segment. If the IP address of the peer end is not specified, it indicates that the IP address of the peer end can be any IP address.
If a local device corresponds to multiple IKE peers and two IKE peers are allocated the same IP address, the system prompts an address conflict, regardless of whether one is a private IP address and the other is a public IP address. If an IKE peer is allocated an IP address and another IKE peer is allocated an IP address segment that contains the IP address, the system does not prompt an address conflict.
- (Optional) Run sa binding vpn-instance vpn-instance-name
A VPN instance is associated with an SA.
- Run quit,
Return to the system view.
- (Optional) Run ike local-name local-name
The local end name used for IKE negotiation is configured.
- Perform either of the following operations to configure an authentication mode for the peer.
- The authentication mode is set to pre-shared key (pre-share).
- Run the ike peer peer-name, command to enter the IKE peer view.
- Run the pre-shared-key [ cipher ] key command to configure a pre-shared key.
The authentication mode is set to certificate (rsa-sig or rsassa-pss).
Run the ike peer peer-name, command to enter the IKE peer view.
Run the certificate local-filename filename command to configure the name of a certificate used by the local end.
The digital certificate must be configured in advance. For details, see Configuring the PKI Certificate or Configuring Certificate Management in CMP Mode.
- Run commit
The configuration is committed.