domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:

· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:

· The username cannot contain the domain name.

· The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

· The username cannot be a, al, or all.

Usage guidelines

The AAA authorization feature enables IKE to request authorization attributes, such as the IKE IPv4 address pool, from AAA.

IKE uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKE passes the username authentication, it obtains the authorization attributes.

This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.

Examples

# Create IKE profile profile1.

<Sysname> system-view

[Sysname] ike profile profile1

# Enable AAA authorization. Specify ISP domain abc and username test.

[Sysname-ike-profile-profile1] aaa authorization domain abc username test

authentication-algorithm

Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.

Use undo authentication-algorithm to restore the default.

Syntax

authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }

undo authentication-algorithm

Default

The IKE proposal uses the HMAC-SHA1 authentication algorithm.

Views

IKE proposal view

Predefined user roles

network-admin

Parameters

md5: Specifies the HMAC-MD5 algorithm.

sha: Specifies the HMAC-SHA1 algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

Examples

# Specify HMAC-SHA1 as the authentication algorithm for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] authentication-algorithm sha

Related commands

display ike proposal

authentication-method

Use authentication-method to specify an authentication method to be used in an IKE proposal.

Use undo authentication-method to restore the default.

Syntax

authentication-method { dsa-signature | pre-share | rsa-de | rsa-signature | sm2-de }

undo authentication-method

Default

The preshared key authentication method is used.

Views

IKE proposal view

Predefined user roles

network-admin

Parameters

dsa-signature: Specifies the DSA signature authentication method.

pre-share: Specifies the preshared key authentication method.

rsa-de: Specifies the RSA digital envelope authentication method.

rsa-signature: Specifies the RSA signature authentication method.

sm2-de: Specifies the SM2 digital envelope authentication method.

Usage guidelines

Preshared key authentication does not require certificates as signature authentication does, and it is usually used on a simple network.

Signature authentication provides higher security, and it is usually deployed on a large-scale network, such as a network with many branches.

On a network with many branches, using preshared key authentication requires the headquarters to configure a preshared key for each branch. Using signature authentication only requires the headquarters to configure one PKI domain.

The digital envelope authentication method is supported only in IKEv1 and must be used if the device is subject to China OSCCA regulations.

Authentication methods configured on both IKE ends must match.

If you specify the RSA or DSA signature authentication method, you must configure the IKE peer to obtain certificates from a CA.

If you specify the preshared key authentication method, you must configure the same preshared key on both IKE ends.

Examples

# Specify the preshared key authentication method for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] authentication-method pre-share

Related commands

display ike proposal

ike keychain

pre-shared-key

certificate domain

Use certificate domain to specify a PKI domain for signature authentication.

Use undo certificate domain to remove a PKI domain for signature authentication.

Syntax

certificate domain domain-name

undo certificate domain domain-name

Default

No PKI domains are specified for signature authentication.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.

IKE uses the specified PKI domains for enrollment, authentication, certificate issuing, validation, and signature. If you do not specify any PKI domains, IKE uses all PKI domains configured on the device.

Follow these restrictions and guidelines for the device to obtain the CA certificate during IKE negotiation:

· On the initiator:

¡ If the IKE profile has a PKI domain and the automatic certificate request mode is configured for the PKI domain, the initiator automatically obtains the CA certificate.

¡ If the IKE profile has no PKI domain, you must manually obtain the CA certificate.

· On the responder:

¡ If main mode is used in IKE phase 1, the responder does not automatically obtain the CA certificate. You must manually obtain the CA certificate.

¡ If aggressive mode is used in IKE phase 1, the responder automatically obtains the CA certificate if the following conditions are met:

- A matching IKE profile is found.

- An PKI domain is specified in the IKE profile.

- The automatic certificate request mode is configured for the PKI domain.

If the conditions are not met, you must manually obtain the CA certificate.

IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA certificate already exists locally, IKE automatically requests a local certificate.

Examples

# Specify PKI domain abc for IKE profile 1.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] certificate domain abc

Related commands

authentication-method

pki domain (Security Command Reference)

client-authentication

Use client-authentication to enable client authentication.

Use undo client-authentication to disable client authentication.

Syntax

client-authentication xauth

undo client-authentication xauth

Default

Client authentication is disabled.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

xauth: Uses Extended Authentication within ISAKMP/Oakley (XAUTH) for authentication.

Usage guidelines

Client authentication enables an IPsec gateway to authenticate remote users through a RADIUS server in IKE negotiation. Remote users who provide the correct username and password pass the authentication and continue with the IKE negotiation. This feature simplifies the configuration on the IPsec gateway and ensures the validity of the remote users. If you do not use this feature, you must configure an IPsec policy and an authentication password for each remote user.

Examples

# Enable XAUTH client authentication.

<Sysname> system-view

[Sysname] ike profile test

[Sysname-ike-profile-test] client-authentication xauth

Related commands

local-user (User Access and Authentication Command Reference)

client-authentication xauth user

Use client-authentication xauth user to specify the username and password for client authentication.

Use undo client-authentication xauth user to restore the default.

Syntax

client-authentication xauth user username password { cipher | simple } string

undo client-authentication xauth user

Default

The username and password for client authentication are not specified.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

username: Specifies the username for client authentication. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:

· The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

· The username cannot be a, al, or all.

password: Specifies the password for client authentication.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters.Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

Configure this command in the IKE profile used by a branch gateway. The branch gateway can then use the username and password to pass AAA authentication and establish an IPsec tunnel with the IPsec gateway at the enterprise center.

Examples

# Specify username abc and password 123abc for client authentication.

<Sysname> system-view

[Sysname] ike profile test

[Sysname-ike-profile-test] client-authentication xauth user abc password simple 123

description

Use description to configure a description for an IKE proposal.

Use undo description to restore the default.

Syntax

description text

undo description

Default

An IKE proposal does not have a description.

Views

IKE proposal view

Predefined user roles

network-admin

Parameters

text: Specifies the description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

When multiple IKE proposals exist, you configure different descriptions for them to distinguish them.

Examples

# Configure a description of test for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] description test

dh

Use dh to specify the DH group to be used for key negotiation in IKE phase 1.

Use undo dh to restore the default.

Syntax

dh { group1 | group14 | group2 | group24 | group5 }

undo dh

Default

The 768-bit Diffie-Hellman group (group1) is used.

Views

IKE proposal view

Predefined user roles

network-admin

Parameters

group1: Uses the 768-bit Diffie-Hellman group.

group14: Uses the 2048-bit Diffie-Hellman group.

group2: Uses the 1024-bit Diffie-Hellman group.

group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

group5: Uses the 1536-bit Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network.

Examples

# Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] dh group14

Related commands

display ike proposal

Use display ike proposal to display configuration information about all IKE proposals.

Syntax

display ike proposal

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, this command displays the default IKE proposal.

Examples

# Display the configuration information about all IKE proposals.

<Sysname> display ike proposal

Priority Authentication Authentication Encryption Diffie-Hellman Duration

method algorithm algorithm group (seconds)

----------------------------------------------------------------------------

1 RSA-SIG SHA1 DES-CBC Group 1 5000

11 PRE-SHARED-KEY SHA1 DES-CBC Group 1 50000

default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400

Table 1 Command output

Field	Description
Priority	Priority of the IKE proposal
Authentication method	Authentication method used by the IKE proposal: · DSA-SIG—DSA signature. · PRE-SHARED-KEY—Preshared key. · RSA-SIG—RSA signature. · RSA-DE—RSA digital envelope. · SM2-DE—SM2 digital envelope.
Authentication algorithm	Authentication algorithm used in the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. · SM3—HMAC-SM3 algorithm.
Encryption algorithm	Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. · SM1-CBC-128—128-bit SM1 algorithm in CBC mode. · SM4-CBC—128-bit SM4 algorithm in CBC mode.
Diffie-Hellman group	DH group used in IKE negotiation phase 1.
Duration (seconds)	IKE SA lifetime (in seconds) of the IKE proposal

‌

Related commands

ike proposal

display ike sa

Use display ike sa to display information about IKE SAs.

Syntax

display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-instance-name ] ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.

remote-address: Displays detailed information about IKE SAs with the specified remote address.

ipv6: Specifies an IPv6 address.

remote-address: Remote IP address.

vpn-instance vpn-instance-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays detailed information about IKE SAs for the public network.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKE SAs.

Examples

# Display summary information about all IKE SAs.

<Sysname> display ike sa

Connection-ID Remote Flag DOI

----------------------------------------------------------

1 202.38.0.2 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

Table 2 Command output

Field	Description
Connection-ID	Identifier of the IKE SA.
Remote	Remote IP address of the SA.
Flags	Status of the SA: · RD--READY—The SA has been established. · RL--REPLACED—The SA has been replaced by a new one and will be deleted later. · FD-FADING—The SA is in use, but it is about to expire and will be deleted soon. · RK-REKEY—The SA is a Rekey SA. · Unknown—The SA status is unknown.
DOI	Interpretation domain to which the SA belongs. IPsec—The SA belongs to an IPsec DOI.

‌

# Display detailed information about all IKE SAs.

<Sysname> display ike sa verbose

---------------------------------------------

Connection ID: 2

Outside VPN: 1

Inside VPN: 1

Profile: prof1

Transmitting entity: Initiator

Initiator cookie: 1bcf453f0a217259

Responder cookie: 5e32a74dfa66a0a4

---------------------------------------------

Local IP: 4.4.4.4

Local ID type: IPV4_ADDR

Local ID: 4.4.4.4

Remote IP: 4.4.4.5

Remote ID type: IPV4_ADDR

Remote ID: 4.4.4.5

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: SHA1

Encryption-algorithm: AES-CBC-128

Life duration(sec): 86400

Remaining key duration(sec): 86379

Exchange-mode: Main

Diffie-Hellman group: Group 1

NAT traversal: Not detected

Extend authentication: Enabled

Assigned IP address: 192.168.2.1

Vendor ID index: 0xa1d

Vendor ID sequence number: 0x0

# Display detailed information about the IKE SA with a remote address of 4.4.4.5.

<Sysname> display ike sa verbose remote-address 4.4.4.5

---------------------------------------------

Connection ID: 2

Outside VPN: 1

Inside VPN: 1

Profile: prof1

Transmitting entity: Initiator

Initiator cookie: 1bcf453f0a217259

Responder cookie: 5e32a74dfa66a0a4

---------------------------------------------

Local IP: 4.4.4.4

Local ID type: IPV4_ADDR

Local ID: 4.4.4.4

Remote IP: 4.4.4.5

Remote ID type: IPV4_ADDR

Remote ID: 4.4.4.5

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: SHA1

Encryption-algorithm: AES-CBC-128

Life duration(sec): 86400

Remaining key duration(sec): 86379

Exchange-mode: Main

Diffie-Hellman group: Group 1

NAT traversal: Not detected

Extend authentication: Enabled

Assigned IP address: 192.168.2.1

Vendor ID index: 0xa1d

Vendor ID sequence number: 0x0

Table 3 Command output

Field	Description
Connection ID	Identifier of the IKE SA.
Outside VPN	VPN instance name of the MPLS L3VPN to which the receiving interface belongs.
Inside VPN	VPN instance name of the MPLS L3VPN to which the protected data belongs.
Profile	Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing.
Transmitting entity	Role of the IKE negotiation entity: Initiator or Responder.
Initiator cookie	IKE SA initiator cookie.
Responder cookie	IKE SA responder cookie.
Local IP	IP address of the local gateway.
Local ID type	Identifier type of the local gateway.
Local ID	Identifier of the local gateway.
Remote IP	IP address of the remote gateway.
Remote ID type	Identifier type of the remote gateway.
Remote ID	Identifier of the remote security gateway.
Authentication-method	Authentication method used by the IKE proposal.
Authentication-algorithm	Authentication algorithm used by the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. · SM3—HMAC-SM3 algorithm.
Encryption-algorithm	Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. · SM1-CBC-128—128-bit SM1 algorithm in CBC mode. · SM4-CBC—128-bit SM4 algorithm in CBC mode.
Life duration(sec)	Lifetime of the IKE SA in seconds.
Remaining key duration(sec)	Remaining lifetime of the IKE SA in seconds.
Exchange-mode	IKE negotiation mode in phase 1: Main or Aggressive.
Diffie-Hellman group	DH group used for key negotiation in IKE phase 1.
NAT traversal	Whether a NAT gateway is detected.
Extend authentication	Whether extended authentication for clients is enabled.
Assigned IP address	IP address assigned to the remote peer. This field is not displayed if no IP address is assigned.
Vendor ID index	Vendor ID index used when the IKE negotiation was triggered.
Vendor ID sequence number	Vendor ID sequence number used when the IKE negotiation was triggered.

‌

display ike statistics

Use display ike statistics to display IKE statistics.

Syntax

display ike statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display IKE statistics.

<Sysname> display ike statistics

IKE statistics:

No matching proposal: 0

Invalid ID information: 0

Unavailable certificate: 0

Unsupported DOI: 0

Unsupported situation: 0

Invalid proposal syntax: 0

Invalid SPI: 0

Invalid protocol ID: 0

Invalid certificate: 0

Authentication failure: 0

Invalid flags: 0

Invalid message id: 0

Invalid cookie: 0

Invalid transform ID: 0

Malformed payload: 0

Invalid key information: 0

Invalid hash information: 0

Unsupported attribute: 0

Unsupported certificate type: 0

Invalid certificate authority: 0

Invalid signature: 0

Unsupported exchange type: 0

No available SA: 1

Retransmit timeout: 0

Not enough memory: 0

Enqueue fails: 0

Failures to send R_U_THERE DPD packets: 0

Failures to receive R_U_THERE DPD packets: 0

Failures to send ACK DPD packets: 0

Failures to receive ACK DPD packets: 0

Sent P1 SA lifetime change packets: 0

Received P1 SA lifetime change packets: total=0, process failures=0 (no SA=0, failures to reset SA soft lifetime=0, failures to reset SA hard lifetime=0)

Sent P2 SA lifetime change packets: 0

Received P2 SA lifetime change packets: total=0, process failures=0

Related commands

reset ike statistics

dpd

Use dpd to configure IKE DPD.

Use undo dpd to disable IKE DPD.

Syntax

dpd interval interval [ retry seconds ] { on-demand | periodic }

undo dpd interval

Default

IKE DPD is disabled.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.

retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.

It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.

Examples

# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] dpd interval 10 retry 5 on-demand

Related commands

ike dpd

encryption-algorithm

Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.

Use undo encryption-algorithm to restore the default.

Syntax

encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | sm1-cbc-128 | sm4-cbc }

undo encryption-algorithm

Default

An IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.

Views

IKE proposal view

Predefined user roles

network-admin

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode. The 3DES algorithm uses a 168-bit key for encryption.

aes-cbc-128: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 128-bit key for encryption.

aes-cbc-192: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 192-bit key for encryption.

aes-cbc-256: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 256-bit key for encryption.

des-cbc: Specifies the DES algorithm in CBC mode. The DES algorithm uses a 56-bit key for encryption.

sm1-cbc-128: Specifies the SM1 algorithm in CBC mode. The SM1 algorithm uses a 128-bit key for encryption.

sm4-cbc: Uses the SM4 algorithm in CBC mode as the encryption algorithm. The SM4 algorithm uses a 128-bit key.

Examples

# Use the 128-bit AES algorithm in CBC mode as the encryption algorithm for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] encryption-algorithm aes-cbc-128

Related commands

display ike proposal

exchange-mode

Use exchange-mode to select an IKE negotiation mode for phase 1.

Use undo exchange-mode to restore the default.

Syntax

exchange-mode { aggressive | gm-main | main }

undo exchange-mode

Default

Main mode is used for phase 1.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

aggressive: Specifies the aggressive mode.

gm-main: Specifies the GM main mode.

main: Specifies the main mode.

Usage guidelines

As a best practice, specify the aggressive mode at the local end if the following conditions are met:

· The local end, for example, a dialup user, obtains an IP address automatically.

· Preshared key authentication is used.

If you specify the GM main mode for phase 1 IKE negotiation, make sure the authentication method is RSA-DE or SM2-DE digital envelope authentication.

Examples

# Specify that IKE negotiation operates in GM main mode.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] exchange-mode gm-main

# Specify that IKE negotiation operates in main mode.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] exchange-mode main

Related commands

display ike proposal

ike address-group

Use ike address-group to configure an IKE IPv4 address pool for assigning IPv4 addresses to remote peers.

Use undo ike address-group to delete an IKE IPv4 address pool.

Syntax

ike address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]

undo ike address-group group-name

Default

No IKE IPv4 address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies a name for the IKE IPv4 address pool, a case-insensitive string of 1 to 63 characters.

start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.

mask: Specifies the IPv4 address mask.

mask-length: Specifies the length of the IPv4 address mask.

Usage guidelines

An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.

To modify or delete an address pool, you must delete all IKE SAs and IPsec SAs. Otherwise, the assigned IPv4 addresses might not be reclaimed.

Examples

# Configure an IKE IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask 255.255.255.0.

<Sysname> system-view

[Sysname] ike address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0

# Configure an IKE IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask length 32.

<Sysname> system-view

[Sysname] ike address-group ipv4group 1.1.1.1 1.1.1.2 32

Related commands

aaa authorization

ike compatible-gm-main enable

Use ike compatible-gm-main enable to enable GM main mode compatibility.

Use undo ike compatible-gm-main enable to restore the default.

Syntax

ike compatible-gm-main enable

undo ike compatible-gm-main enable

Default

The GM main mode compatibility is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command is not supported in FIPS mode.

IKE peers running different software versions might have the GM main mode compatibility issue (signature verification failure) during IKE negotiation. If the device encounters this issue with its peer, you can execute this command on the device.

Do not execute this command on the device if the device does not have the GM main mode compatibility issue with its peers.

Examples

# Enable GM main mode compatibility.

<Sysname> system-view

[Sysname] ike compatible-gm-main enable

ike compatible-sm4 enable

Use ike compatible-sm4 enable to enable SM4-CBC key length compatibility.

Use undo ike compatible-sm4 enable to restore the default.

Syntax

ike compatible-sm4 enable

undo ike compatible-sm4 enable

Default

SM4-CBC key length compatibility is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command is not supported in FIPS mode.

IKE peers running different software versions might have the SM4-CBC key length compatibility issue during IKE negotiation. If the device encounters this issue with its peer, you can execute this command on the device.

Do not execute this command on the device if the device does not have the SM4-CBC key length compatibility issue with its peers.

Examples

# Enable SM4-CBC key length compatibility.

<Sysname> system-view

[Sysname] ike compatible-sm4 enable

ike dpd

Use ike dpd to configure global IKE DPD.

Use undo ike dpd to disable global IKE DPD.

Syntax

ike dpd interval interval [ retry seconds ] { on-demand | periodic }

undo ike dpd interval

Default

Global IKE DPD is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.

retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.

It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.

Examples

# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.

<Sysname> system-view

[Sysname] ike dpd interval 10 retry 5 on-demand

Related commands

dpd

ike gm-main sm4-version

Use ike gm-main sm4-version to specify the SM4 algorithm version used in IKE GM main negotiation.

Use undo ike gm-main sm4-version to restore the default.

Syntax

ike gm-main sm4-version { draft | standard }

undo ike gm-main sm4-version

Default

The standard SM4 algorithm is used in IKE GM main negotiation.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

draft: Specifies the draft version of the SM4 algorithm. The attribute value for the standard SM4 is 127.

standard: Specifies the standard version of the SM4 algorithm. The attribute value for the standard SM4 is 129.

Usage guidelines

This command is not supported in FIPS mode.

Specify the SM4 version used by the device to initiate an IKE negotiation with a device from other vendors to make sure the two devices use the same SM4 version in the negotiation.

This command takes effect only on negotiations for new IKE SAs. It does not apply to existing IKE SAs.

Examples

# In IKE profile view, configure the IKE GM main negotiation to use the draft SM4 algorithm.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] ike gm-main sm4-version draft

ike identity

Use ike identity to specify the global identity used by the local end during IKE negotiations.

Use undo ike identity to restore the default.

Syntax

ike identity { address { ipv4-address | ipv6 ipv6-address }| dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

undo ike identity

Default

The IP address of the interface where the IPsec policy applies is used as the IKE identity.

Views

System view

Predefined user roles

network-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity.

dn: Uses the DN in the digital signature as the identity.

fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.

user-fqdn user-fqdn-name: Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, abc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.

Usage guidelines

The global local identity can be used for all IKE SA negotiations. The local identity (set by the local-identity command for an IKE profile) can be used only for IKE SA negotiations that use the IKE profile.

If the local authentication method is signature authentication, you can set an identity of any type. If the local authentication method is preshared key authentication, you cannot set the DN as the identity.

The ike signature-identity from-certificate command sets the local device to always use the identity information obtained from the local certificate for signature authentication. If the ike signature-identity from-certificate command is not set, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.

Examples

# Specify IP address 2.2.2.2 as the identity.

<sysname> system-view

[sysname] ike identity address 2.2.2.2

Related commands

local-identity

ike signature-identity from-certificate

ike invalid-spi-recovery enable

Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.

Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery.

Syntax

ike invalid-spi-recovery enable

undo ike invalid-spi-recovery enable

Default

Invalid SPI recovery is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.

The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.

Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.

Examples

# Enable invalid SPI recovery.

<Sysname> system-view

[Sysname] ike invalid-spi-recovery enable

ike keepalive interval

Use ike keepalive interval to set the IKE keepalive interval.

Use undo ike keepalive interval to restore the default.

Syntax

ike keepalive interval interval

undo ike keepalive interval

Default

No IKE keepalives are sent.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800.

Usage guidelines

To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.

The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.

Examples

# Set the keepalive interval to 200 seconds

<Sysname> system-view

[Sysname] ike keepalive interval 200

Related commands

ike keepalive timeout

Use ike keepalive timeout to set the IKE keepalive timeout time.

Use undo ike keepalive timeout to restore the default.

Syntax

ike keepalive timeout seconds

undo ike keepalive timeout

Default

The IKE keepalive timeout time is not set.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the number of seconds between IKE keepalives. The value range for this argument is 20 to 28800.

Usage guidelines

If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.

Examples

# Set the keepalive timeout time to 20 seconds.

<Sysname> system-view

[Sysname] ike keepalive timeout 20

Related commands

ike keepalive interval

ike keychain

Use ike keychain to create an IKE keychain and enter its view, or enter the view of an existing IKE keychain.

Use undo ike keychain to delete an IKE keychain.

Syntax

ike keychain keychain-name [ vpn-instance vpn-instance-name ]

undo ike keychain keychain-name [ vpn-instance vpn-instance-name ]

Default

No IKE keychains exist.

Views

System view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IKE keychain belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.

Usage guidelines

To use preshared key authentication, you must create and specify an IKE keychain for the IKE profile.

Examples

# Create IKE keychain key1 and enter its view.

<Sysname> system-view

[Sysname] ike keychain key1

[Sysname-ike-keychain-key1]

Related commands

authentication-method

pre-shared-key

ike limit

Use ike limit to set the maximum number of half-open or established IKE SAs.

Use undo ike limit to restore the default.

Syntax

ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }

undo ike limit { max-negotiating-sa | max-sa }

Default

There is no limit to the maximum number of half-open or established IKE SAs.

Views

System view

Predefined user roles

network-admin

Parameters

max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs and IPsec SAs. The value range for the negotiation-limit argument is 1 to 99999.

max-sa sa-limit: Specifies the maximum number of established IKE SAs. The value range for the sa-limit argument is 1 to 99999.

Usage guidelines

The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.

The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.

Examples

# Set the maximum number of half-open IKE SAs and IPsec SAs to 200.

<Sysname> system-view

[Sysname] ike limit max-negotiating-sa 200

# Set the maximum number of established IKE SAs to 5000.

<Sysname> system-view

[Sysname] ike limit max-sa 5000

ike logging negotiation enable

Use ike logging negotiation enable to enable logging for IKE negotiation.

Use undo ike logging negotiation packet enable to disable logging for IKE negotiation.

Syntax

ike logging negotiation enable

undo ike logging negotiation enable

Default

Logging for IKE negotiation is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to output logs for the IKE negotiation process.

Examples

# Enable logging for IKE negotiation.

<Sysname> system-view

[Sysname] ike logging negotiation enable

ike nat-keepalive

Use ike nat-keepalive to set the NAT keepalive interval.

Use undo ike nat-keepalive to restore the default.

Syntax

ike nat-keepalive seconds

undo ike nat-keepalive

Default

The NAT keepalive interval is 20 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.

Usage guidelines

This command takes effect only for a device that resides in the private network behind a NAT gateway. The device behind the NAT gateway needs to send NAT keepalives to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime. For information about how to display the lifetime of NAT sessions, see NAT Command Reference.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ike nat-keepalive 5

ike profile

Use ike profile to create an IKE profile and enter its view, or enter the view of an existing IKE profile.

Use undo ike profile to delete an IKE profile.

Syntax

ike profile profile-name

undo ike profile profile-name

Default

No IKE profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters.

Examples

# Create IKE profile 1 and enter its view.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1]

ike proposal

Use ike proposal to create an IKE proposal and enter its view, or enter the view of an existing IKE proposal.

Use undo ike proposal to delete an IKE proposal.

Syntax

ike proposal proposal-number

undo ike proposal proposal-number

Default

An IKE proposal exists, which has the lowest priority and uses the following settings:

· Encryption algorithm—DES-CBC.

· Authentication algorithm—HMAC-SHA1.

· Authentication method—Preshared key authentication.

· DH group—768-bit Diffie-Hellman group (group1).

· IKE SA lifetime—86400 seconds.

You cannot change the settings of the default IKE proposal.

Views

System view

Predefined user roles

network-admin

Parameters

proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.

Usage guidelines

During IKE negotiation:

· The initiator sends its IKE proposals to the peer.

¡ If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals specified for the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.

¡ If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.

· The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are mismatched, the two peers use their default IKE proposals to establish the IKE SA.

Examples

# Create IKE proposal 1 and enter its view.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1]

Related commands

display ike proposal

ike signature-identity from-certificate

Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication.

Use undo ike signature-identity from-certificate to restore the default.

Syntax

ike signature-identity from-certificate

undo ike signature-identity from-certificate

Default

The local end uses the identity information specified by the local-identity or ike identity command for signature authentication.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command requires the local device to always use the identity information in the local certificate for signature authentication, regardless of the local-identity or ike identity configuration.

Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN for signature authentication.

If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.

Examples

# Configure the local device to always obtain the identity information from the local certificate for signature authentication.

<Sysname> system-view

[sysname] ike signature-identity from-certificate

Related commands

local-identity

ike identity

inside-vpn

Use inside-vpn to specify an inside VPN instance.

Use undo inside-vpn to restore the default.

Syntax

inside-vpn vpn-instance vpn-instance-name

undo inside-vpn

Default

No inside VPN instance is specified for an IKE profile. The device forwards protected data to the VPN instance where the interface that receives the data resides.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the device forwards protected data. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

This command determines where the device should forward received IPsec protected data. If you configure this command, the device looks for a route in the specified VPN instance to forward the data. If you do not configure this command, the device looks for a route in the VPN instance where the receiving interface resides to forward the data.

Examples

# Specify inside VPN instance vpn1 for IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] inside-vpn vpn-instance vpn1

keychain

Use keychain to specify an IKE keychain for preshared key authentication.

Use undo keychain to remove an IKE keychain.

Syntax

keychain keychain-name

undo keychain keychain-name

Default

No IKE keychain is specified for preshared key authentication.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority.

Examples

# Specify IKE keychain abc for IKE profile 1.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] keychain abc

Related commands

ike keychain

local-identity

Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.

Use undo local-identity to restore the default.

Syntax

local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

undo local-identity

Default

No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view by using the ike identity command. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy is applied as the local ID.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.

dn: Uses the DN in the local certificate as the local ID.

fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.

user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.

Usage guidelines

For digital signature authentication, the device can use any type of ID. For preshared key authentication, the device can use any type of ID other than the DN.

In digital signature authentication, if the local ID is an IP address that is different from the IP address in the local certificate, the device uses its FQDN instead. The FQDN is the device name configured by using the sysname command.

In aggressive mode, for digital signature authentication, if the local ID is the DN in the local certificate, the device uses its FQDN instead for IKE negotiation. To use the DN in the local certificate as the local ID for IKE negotiation, execute the ike signature-identity from-certificate command in system view.

The initiator uses the local ID to identify itself to the responder. The responder compares the initiator's ID with the peer IDs configured by the match remote command to look for a matching IKE profile.

An IKE profile can have only one local ID.

An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.

Examples

# Set the local ID to IP address 2.2.2.2.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] local-identity address 2.2.2.2

Related commands

match remote

ike identity

ike signature-identity from-certificate

match local address (IKE keychain view)

Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.

Use undo match local address to restore the default.

Syntax

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

undo match local address

Default

An IKE keychain can be applied to any local interface or IP address.

Views

IKE keychain view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 or IPv6 address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the IPv4 or IPv6 address belongs to the public network, do not specify this option.

Usage guidelines

Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you specified IKE keychain A before specifying IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE keychain A and the peer ID 2.2.2.0/24 for IKE keychain B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE keychain A is preferred because IKE keychain A was specified earlier. To use IKE keychain B, you can use this command to restrict the application scope of IKE keychain B to address 3.3.3.3.

Examples

# Create IKE keychain key1.

<Sysname> system-view

[Sysname] ike keychain key1

# Apply IKE keychain key1 to IP address 2.2.2.2.

[sysname-ike-keychain-key1] match local address 2.2.2.1

# Apply IKE keychain key1 to the interface with IP address 2.2.2.2 in VPN instance vpn1.

[sysname-ike-keychain-key1] match local address 2.2.2.2 vpn-instance vpn1

match local address (IKE profile view)

Use match local address to specify a local interface or IP address to which an IKE profile can be applied.

Use undo match local address to restore the default.

Syntax

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

undo match local address

Default

An IKE profile can be applied to any local interface or IP address.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

Use this command to specify which address or interface can use the IKE profile for IKE negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B, you can use this command to restrict the application scope of IKE profile B to address 3.3.3.3.

Examples

# Create IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

# Apply IKE profile prof1 to IP address 2.2.2.2.

[sysname-ike-profile-prof1] match local address 2.2.2.1

# Apply IKE profile prof1 to the interface with IP address 2.2.2.2 in VPN instance vpn1.

[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1

match remote

Use match remote to configure a peer ID for IKE profile matching.

Use undo match remote to delete a peer ID for IKE profile matching.

Syntax

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }

undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }

Default

No peer ID is configured for IKE profile matching.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters.

identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.

· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching. The value range for the mask-length argument is 0 to 32, and the default is 32.

· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.

· address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The value range for the prefix-length argument is 0 to 128, and the default is 128.

· address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.

· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

· user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified address or addresses belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option.

Usage guidelines

When an end needs to select an IKE profile, it compares the peer's ID received with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation.

Each IKE profile must have at least one peer ID configured. To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.

For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.

Examples

# Create IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

# Configure a peer ID with the identity type of FQDN and the value of www.test.com.

[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com

# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.

[Sysname-ike-profile-prof1] match remote identity address 10.1.1.1

Related commands

local-identity

pre-shared-key

Use pre-shared-key to configure a preshared key.

Use undo pre-shared-key to delete a preshared key.

Syntax

pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher | simple } string

undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name }

Default

No preshared key is configured.

Views

IKE keychain view

Predefined user roles

network-admin

Parameters

address: Specifies a peer by its address.

ipv4-address: Specifies the IPv4 address of the peer.

mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255.

mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32.

ipv6: Specifies an IPv6 peer.

ipv6-address: Specifies the IPv6 address of the peer.

prefix-length: Specifies the prefix length in the range of 0 to 128. The default prefix length is 128.

hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.

key: Specifies a preshared key.

cipher: Specifies a preshared key in encrypted form.

simple: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the preshared key. The key is case sensitive. Its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters.

Usage guidelines

The address option or the hostname option specifies the peer with which the device can use the preshared key to perform IKE negotiation.

If you specify the peer by using the hostname option, the device can act as only a responder in IKE negotiation and it must use the aggressive mode in IKE phase 1. The peer device ID must be the peer FQDN that matches the hostname.

Two peers must be configured with the same preshared key to pass preshared key authentication.

This command does not support configuring a preshared key in interactive mode.

Examples

# Create IKE keychain key1 and enter IKE keychain view.

<Sysname> system-view

[Sysname] ike keychain key1

# Set the preshared key to be used for IKE negotiation with peer 1.1.1.2 to 123456TESTplat&!.

[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&!

Related commands

authentication-method

keychain

priority (IKE keychain view)

Use priority to specify a priority for an IKE keychain.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKE keychain is 100.

Views

IKE keychain view

Predefined user roles

network-admin

Parameters

priority priority: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority.

Usage guidelines

To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.

Examples

# Set the priority to 10 for IKE keychain key1.

<Sysname> system-view

[Sysname] ike keychain key1

[Sysname-ike-keychain-key1] priority 10

priority (IKE profile view)

Use priority to specify a priority for an IKE profile.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKE profile is 100.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

priority priority: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority.

Usage guidelines

To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number. An IKE profile with the match local address command configured has a higher priority than an IKE profile that does not have the match local address command configured.

Examples

# Set the priority to 10 for IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] priority 10

proposal

Use proposal to specify IKE proposals for an IKE profile.

Use undo proposal to restore the default.

Syntax

proposal proposal-number&<1-6>

undo proposal

Default

No IKE proposals are specified for an IKE profile and the IKE proposals configured in system view are used for IKE negotiation.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.

Usage guidelines

When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.

Examples

# Specify IKE proposal 10 for IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] proposal 10

Related commands

ike proposal

reset ike sa

Use reset ike sa to delete IKE SAs.

Syntax

reset ike sa [ connection-id connection-id ]

Views

User view

Predefined user roles

network-admin

Parameters

connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.

Usage guidelines

When you delete an IKE SA, the device automatically sends a notification to the peer.

Examples

# Display the current IKE SAs.

<Sysname> display ike sa

Connection-ID Remote Flag DOI

----------------------------------------------------------

1 202.38.0.2 RD IPsec

2 202.38.0.3 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

# Delete the IKE SA with the connection ID 2.

<Sysname> reset ike sa connection-id 2

# Display the current IKE SAs.

<Sysname> display ike sa

Connection-ID Remote Flag DOI

----------------------------------------------------------

1 202.38.0.2 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

reset ike statistics

Use reset ike statistics command to clear IKE MIB statistics.

Syntax

reset ike statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clears IKE MIB statistics.

<Sysname> reset ike statistics

Related commands

snmp-agent trap enable ike

sa duration

Use sa duration to set the IKE SA lifetime for an IKE proposal.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The IKE SA lifetime is 86400 seconds for an IKE proposal.

Views

IKE proposal view

Predefined user roles

network-admin

Parameters

seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800.

Usage guidelines

Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires.

If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.

If the IPsec SA lifetime is also configured, set the IKE SA lifetime longer than the IPsec SA lifetime as a best practice.

Examples

# Set the IKE SA lifetime to 600 seconds for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] sa duration 600

Related commands

display ike proposal

sa soft-duration buffer

Use sa soft-duration buffer to set the IKE SA soft lifetime buffer time.

Use undo sa soft-duration buffer to restore the default.

Syntax

sa soft-duration buffer seconds

undo sa soft-duration buffer

Default

The IKE SA soft lifetime buffer time is not configured.

Views

IKE profile view

Predefined user roles

network-admin

Parameters

seconds: Specifies the IKE SA soft lifetime buffer time, in seconds. The value range is 10 to 36000.

Usage guidelines

This command takes effect only when IKEv1 is used.

The IKE SA soft lifetime buffer time is used determine the IKE SA soft lifetime. A new IKE SA will be negotiated when the IKE SA soft lifetime expires.

The IKE SA soft lifetime is calculated as follows: IKE SA soft lifetime = IKE SA lifetime – IKE SA soft lifetime buffer time.

If the IKE SA soft lifetime buffer time is not configured, the system calculates a default IKE SA soft lifetime based on the IKE SA lifetime.

The default IKE SA soft lifetime is also used if the IKE soft lifetime calculated based on the soft lifetime buffer is shorter than or equal to 10 seconds.

Examples

# Set the IKE SA soft lifetime buffer time to 600 seconds.

<Sysname> system-view

[Sysname] ike profile abc

[Sysname-ike-profile-abc] sa soft-duration buffer 600

Related commands

display ike sa

snmp-agent trap enable ike

Use snmp-agent trap enable ike command to enable SNMP notifications for IKE.

Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE.

Syntax

Default

All SNMP notifications for IKE are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

attr-not-support: Specifies notifications about attribute-unsupported failures.

auth-failure: Specifies notifications about authentication failures.

cert-type-unsupport: Specifies notifications about certificate-type-unsupported failures.

cert-unavailable: Specifies notifications about certificate-unavailable failures.

decrypt-failure: Specifies notifications about decryption failures.

encrypt-failure: Specifies notifications about encryption failures.

global: Specifies notifications globally.

invalid-cert-auth: Specifies notifications about invalid-certificate-authentication failures.

invalid-cookie: Specifies notifications about invalid-cookie failures.

invalid-id: Specifies notifications about invalid-ID failures.

invalid-proposal: Specifies notifications about invalid-IKE-proposal failures.

invalid-protocol: Specifies notifications about invalid-protocol failures.

invalid-sign: Specifies notifications about invalid-signature failures.

no-sa-failure: Specifies notifications about SA-not-found failures.

proposal-add: Specifies notifications about events of adding IKE proposals.

proposal-delete: Specifies notifications about events of deleting IKE proposals.

tunnel-start: Specifies notifications about events of creating IKE tunnels.

tunnel-stop: Specifies notifications about events of deleting IKE tunnels.

unsupport-exch-type: Specifies notifications about negotiation-type-unsupported failures.

Usage guidelines

If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE.

To generate and output SNMP notifications for a specific IKE failure type or event type, perform the following tasks:

1. Enable SNMP notifications for IKE globally.

2. Enable SNMP notifications for the failure type or event type.

Examples

# Enable SNMP notifications for IKE globally.

<Sysname> system-view

[Sysname] snmp-agent trap enable ike global

# Enable SNMP notifications for events of creating IKE tunnels.

[Sysname] snmp-agent trap enable ike tunnel-start

16-IP Tunneling and Security VPN Command Reference

encryption-algorithm

ike limit

priority (IKE keychain view)

proposal

sa soft-duration buffer

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us