Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-IKEv2 commands | 206.40 KB |
match local (IKEv2 profile view)
match local address (IKEv2 policy view)
IKEv2 commands
aaa authorization
Use aaa authorization to enable IKEv2 AAA authorization.
Use undo aaa authorization to disable IKEv2 AAA authorization.
Syntax
aaa authorization domain domain-name username user-name
undo aaa authorization
Default
IKEv2 AAA authorization is disabled.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:
· The username cannot contain the domain name.
· The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
· The username cannot be a, al, or all.
Usage guidelines
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2 address pool, from AAA.
IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKEv2 passes the username authentication, it obtains the authorization attributes.
This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable AAA authorization. Specify ISP domain name abc and username test.
[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test
Related commands
display ikev2 profile
address
Use address to specify the IP address or IP address range of an IKEv2 peer.
Use undo address to restore the default.
Syntax
address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo address
Default
The IKEv2 peer's IP address or IP address range is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the IKEv2 peer.
mask: Specifies the subnet mask of the IPv4 address.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.
ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Usage guidelines
Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.
The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the IKEv2 peer's IP address 3.3.3.3 with subnet mask 255.255.255.0.
[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0
Related commands
ikev2 keychain
peer
authentication-method
Use authentication-method to specify the local or remote identity authentication method.
Use undo authentication-method to remove the local or remote identity authentication method.
Syntax
authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }
undo authentication-method local
undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature }
Default
No local or remote identity authentication method is specified.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
local: Specifies the local identity authentication method.
remote: Specifies the remote identity authentication method.
dsa-signature: Specifies the DSA signatures as the identity authentication method.
ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.
pre-share: Specifies the preshared key as the identity authentication method.
rsa-signature: Specifies the RSA signatures as the identity authentication method.
Usage guidelines
The local and remote identity authentication methods must both be specified and they can be different.
You can specify only one local identity authentication method. You can specify multiple remote identity authentication methods by executing this command multiple times when there are multiple remote ends whose authentication methods are unknown.
If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for obtaining certificates. You can specify PKI domains by using the certificate domain command in IKEv2 profile view. If you do not specify PKI domains in IKEv2 profile view, the PKI domains configured by the pki domain command in system view will be used.
If you specify the preshared key method, you must specify a preshared key for the IKEv2 peer in the keychain used by the IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the preshared key and RSA signatures as the local and remote authentication methods, respectively.
[Sysname-ikev2-profile-profile1] authentication local pre-share
[Sysname-ikev2-profile-profile1] authentication remote rsa-signature
# Specify PKI domain genl as the PKI domain for obtaining certificates.
[Sysname-ikev2-profile-profile1] certificate domain genl
# Specify IKEv2 keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
certificate domain (IKEv2 profile view)
keychain (IKEv2 profile view)
certificate domain
Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.
Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.
Syntax
certificate domain domain-name [ sign | verify ]
undo certificate domain domain-name
Default
PKI domains configured in system view are used for signature authentication.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
sign: Uses the local certificate in the PKI domain to generate a signature.
verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.
Usage guidelines
If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify purposes. You can specify a PKI domain for each purpose by executing this command multiple times. If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.
If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify PKI domain abc for signature. Specify PKI domain def for verification.
[Sysname-ikev2-profile-profile1] certificate domain abc sign
[Sysname-ikev2-profile-profile1] certificate domain def verify
Related commands
authentication-method
pki domain (Security Command Reference)
config-exchange
Use config-exchange to enable configuration exchange.
Use undo config-exchange to disable configuration exchange.
Syntax
config-exchange { request | set { accept | send } }
undo config-exchange { request | set { accept | send } }
Default
Configuration exchange is disabled.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
request: Enables the device to send request messages carrying the configuration request payload during the IKE_AUTH exchange.
set: Specifies the configuration set payload exchange.
accept: Enables the device to accept the configuration set payload carried in Info messages.
send: Enables the device to send Info messages carrying the configuration set payload.
Usage guidelines
The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response. The enterprise center can push IP addresses to branches. The branches can request IP addresses, but the requested IP addresses cannot be used.
You can specify both request and set for the device.
If you specify request for the local end, the remote end will respond if it can obtain the requested data through AAA authorization.
If you specify set send for the local end, you must specify set accept for the remote end.
The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not receive any configuration request from the peer.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable the local end to add the configuration request payload to the request message of IKE_AUTH exchange.
[Sysname-ikev2-profile-profile1] config-exchange request
Related commands
aaa authorization
display ikev2 profile
dh
Use dh to specify DH groups to be used in IKEv2 key negotiation.
Use undo group to restore the default.
Syntax
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
undo dh
Default
No DH group is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group5: Uses the 1536-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
group19: Uses the 256-bit ECP Diffie-Hellman group.
group20: Uses the 384-bit ECP Diffie-Hellman group.
Usage guidelines
A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.
You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.
You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority.
Examples
# Specify DH group 1 for IKEv2 proposal 1.
<Sysname> system-view
[Sysname] ikev2 proposal 1
[Sysname-ikev2-proposal-1] dh group1
Related commands
ikev2 proposal
display ikev2 policy
Use display ikev2 policy to display the IKEv2 policy configuration.
Syntax
display ikev2 policy [ policy-name | default ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 policy.
Usage guidelines
If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.
Examples
# Display the configuration of all IKEv2 policies.
<Sysname> display ikev2 policy
IKEv2 policy: 1
Priority: 100
Match local address: 1.1.1.1
Match local address ipv6: 1:1::1:1
Match VRF: vpn1
Proposal: 1
Proposal: 2
IKEv2 policy: default
Match VRF: any
Proposal: default
Table 1 Command output
|
Field |
Description |
|
IKEv2 policy |
Name of the IKEv2 policy. |
|
Priority |
Priority of the IKEv2 policy. |
|
Match local address |
IPv4 address to which the IKEv2 policy can be applied. |
|
Match local address ipv6 |
IPv6 address to which the IKEv2 policy can be applied. |
|
Match VRF |
VPN instance to which the IKEv2 policy can be applied. |
|
Proposal |
IKEv2 proposal that the IKEv2 policy uses. |
Related commands
ikev2 policy
display ikev2 profile
Use display ikev2 profile to display the IKEv2 profile configuration.
Syntax
display ikev2 profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.
Examples
# Display the configuration of all IKEv2 profiles.
<Sysname> display ikev2 profile
IKEv2 profile: 1
Priority: 100
Match criteria:
Local address 1.1.1.1
Local address GigabitEthernet0/0/1
Local address 1:1::1:1
Remote identity ipv4 address 3.3.3.3/32
VRF vrf1
Inside-vrf:
Local identity: address 1.1.1.1
Local authentication method: pre-share
Remote authentication methods: pre-share
Keychain: Keychain1
Sign certificate domain:
Domain1
abc
Verify certificate domain:
Domain2
yy
SA duration: 500
DPD: Interval 32, retry 23, periodic
Config-exchange: Request, Set send, Set accept
NAT keepalive: 10
AAA authorization: Domain domain1, username ikev2
Table 2 Command output
|
Field |
Description |
|
IKEv2 profile |
Name of the IKEv2 profile. |
|
Priority |
Priority of the IKEv2 profile. |
|
Match criteria |
Criteria for looking up the IKEv2 profile. |
|
Inside-vrf |
Inside VPN instance. |
|
Local identity |
ID of the local end. |
|
Local authentication method |
Method that the local end uses for authentication. |
|
Remote authentication methods |
Methods that the remote end uses for authentication. |
|
Keychain |
IKEv2 keychain that the IKEv2 profile uses. |
|
Sign certificate domain |
PKI domain used for signature generation. |
|
Verify certificate domain |
PKI domain used for verifying the remote end's certificate. |
|
SA duration |
Lifetime of the IKEv2 SA. |
|
DPD |
DPD settings: · Detection interval in seconds. · Retry interval in seconds. · Detection mode, on demand or periodically. If DPD is disabled, this field displays Disabled. |
|
Config-exchange |
Configuration exchange settings: · Request—The local end sends request messages carrying the configuration request payload during the IKE_AUTH exchange. · Set accept—The local end accepts the configuration set payload carried in Info messages. · Set send—The local end sends Info messages carrying the configuration set payload. |
|
NAT keepalive |
NAT keepalive interval in seconds. |
|
AAA authorization |
AAA authorization settings: · ISP domain name. · Username. |
Related commands
ikev2 profile
display ikev2 proposal
Use display ikev2 proposal to display the IKEv2 proposal configuration.
Syntax
display ikev2 proposal [ name | default ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 proposal.
Usage guidelines
This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals.
Examples
# Display the configuration of all IKEv2 proposals.
<Sysname> display ikev2 proposal
IKEv2 proposal : 1
Encryption: 3DES-CBC AES-CBC-128 AES-CTR-192 CAMELLIA-CBC-128
Integrity: MD5 SHA256
PRF: MD5 SHA256
DH Group: MODP1024/Group2 MODP1536/Group5
IKEv2 proposal : default
Encryption: AES-CBC-128 3DES-CBC
Integrity: SHA1 MD5
PRF: SHA1 MD5
DH Group: MODP1536/Group5 MODP1024/Group2
Table 3 Command output
|
Field |
Description |
|
IKEv2 proposal |
Name of the IKEv2 proposal. |
|
Encryption |
Encryption algorithms that the IKEv2 proposal uses. |
|
Integrity |
Integrity protection algorithms that the IKEv2 proposal uses. |
|
PRF |
PRF algorithms that the IKEv2 proposal uses. |
|
DH Group |
DH groups that the IKEv2 proposal uses. |
Related commands
ikev2 proposal
display ikev2 sa
Use display ikev2 sa to display the IKEv2 SA information.
Syntax
display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
count: Displays the number of IKEv2 SAs.
local: Displays IKEv2 SA information for a local IP address.
remote: Displays IKEv2 SA information for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information about IKEv2 SAs for the public network.
verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.
tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKEv2 SAs.
Examples
# Display summary information about all IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Table 4 Command output
|
Field |
Description |
|
Tunnel ID |
ID of the IPsec tunnel to which the IKEv2 SA belongs. |
|
Local |
Local IP address of the IKEv2 SA. |
|
Remote |
Remote IP address of the IKEv2 SA. |
|
Status |
Status of the IKEv2 SA: · IN-NEGO (Negotiating)—The IKEv2 SA is under negotiation. · EST (Established)—The IKEv2 SA has been set up. · DEL (Deleting)—The IKEv2 SA is about to be deleted. |
# Display detailed information about all IKEv2 SAs.
<Sysname> display ikev2 sa verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: device_a
Remote ID type: FQDN
Remote ID: device_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 20 secs, retry interval 2 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID:2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2 verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: device_a
Remote ID type: FQDN
Remote ID: device_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 30 secs, retry interval 10 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID: 2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
Table 5 Command output
|
Field |
Description |
|
Tunnel ID |
ID of the IPsec tunnel to which the IKEv2 SA belongs. |
|
Local IP/Port |
IP address and port number of the local security gateway. |
|
Remote IP/Port |
IP address and port number of the remote security gateway. |
|
Outside VRF |
Name of the VPN instance to which the protected outbound data flow belongs. If the protected outbound data flow belongs to the public network, this field displays a hyphen (-). |
|
Inside VRF |
Name of the VPN instance to which the protected inbound data flow belongs. If the protected inbound data flow belongs to the public network, this field displays a hyphen (-). |
|
Local SPI |
SPI that the local end uses. |
|
Remote SPI |
SPI that the remote end uses. |
|
Local ID type |
ID type of the local security gateway. |
|
Local ID |
ID of the local security gateway. |
|
Remote ID type |
ID type of the remote security gateway. |
|
Remote ID |
ID of the remote security gateway. |
|
Auth sign method |
Signature method that the IKEv2 proposal uses in authentication. |
|
Auth verify method |
Verification method that the IKEv2 proposal uses in authentication. |
|
Integrity algorithm |
Integrity protection algorithms that the IKEv2 proposal uses. |
|
PRF algorithm |
PRF algorithms that the IKEv2 proposal uses. |
|
Encryption algorithm |
Encryption algorithms that the IKEv2 proposal uses. |
|
Life duration |
Lifetime of the IKEv2 SA, in seconds. |
|
Remaining key duration |
Remaining lifetime of the IKEv2 SA, in seconds. |
|
Diffie-Hellman group |
DH groups used in IKEv2 key negotiation. |
|
NAT traversal |
Whether a NAT gateway is detected between the local and remote ends. |
|
DPD |
DPD settings: · Detection interval in seconds. · Retry interval in seconds. If DPD is disabled, this field displays Interval 0 secs, retry interval 0 secs. |
|
Transmitting entity |
Role of the local end in IKEv2 negotiation, initiator or responder. |
|
Local window |
Window size that the local end uses. |
|
Remote window |
Window size that the remote end uses. |
|
Local request message ID |
ID of the request message that the local end is about to send. |
|
Remote request message ID |
ID of the request message that the remote end is about to send. |
|
Local next message ID |
ID of the message that the local end expects to receive. |
|
Remote next message ID |
ID of the message that the remote end expects to receive. |
|
Pushed IP address |
IP address pushed to the local end by the remote end. |
|
Assigned IP address |
IP address assigned to the remote end by the local end . |
# Display the number of IKEv2 SAs.
[Sysname] display ikev2 sa count
IKEv2 SAs count: 0
display ikev2 statistics
Use display ikev2 statistics to display IKEv2 statistics.
Syntax
display ikev2 statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IKEv2 statistics.
<Sysname> display ikev2 statistics
IKEv2 statistics:
Unsupported critical payload: 0
Invalid IKE SPI: 0
Invalid major version: 0
Invalid syntax: 0
Invalid message ID: 0
Invalid SPI: 0
No proposal chosen: 0
Invalid KE payload: 0
Authentication failed: 0
Single pair required: 0
TS unacceptable: 0
Invalid selectors: 0
Temporary failure: 0
No child SA: 0
Unknown other notify: 0
No enough resource: 0
Enqueue error: 0
No IKEv2 SA: 0
Packet error: 0
Other error: 0
Retransmit timeout: 0
DPD detect error: 0
Del child for IPsec message: 1
Del child for deleting IKEv2 SA: 1
Del child for receiving delete message: 0
Related commands
reset ikev2 statistics
dpd
Use dpd to configure IKEv2 DPD.
Use undo dpd to disable IKEv2 DPD.
Syntax
dpd interval interval [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.
Examples
# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand
Related commands
ikev2 dpd
encryption
Use encryption to specify encryption algorithms for an IKEv2 proposal.
Use undo encryption to restore the default.
Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
undo encryption
Default
No encryption algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.
aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key.
aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key.
aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key.
camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.
camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.
camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.
Usage guidelines
You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for IKE proposal prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption 3des-cbc
Related commands
ikev2 proposal
hostname
Use hostname to specify the host name of an IKEv2 peer.
Use undo hostname to restore the default.
Syntax
hostname name
undo hostname
Default
The IKEv2 peer's host name is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.
Usage guidelines
Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must use an IPsec policy.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify host name test of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] hostname test
Related commands
ikev2 keychain
peer
identity
Use identity to specify the ID of an IKEv2 peer.
Use undo identity to restore the default.
Syntax
identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string }
undo identity
Default
The IKEv2 peer's ID is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the peer.
ipv6 ipv6-address: Specifies the IPv6 address of the peer.
fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
email email-string: Specifies the email address of the peer. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as esec@test.com.
key-id key-id-string: Specifies the remote gateway's key ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2
Related commands
ikev2 keychain
peer
identity local
Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation..
Use undo identity local to restore the default.
Syntax
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }
undo identity local
Default
No local ID is configured. The IP address of the interface to which the IPsec policy is applied is used as the local ID.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
key-id key-id-string: Uses the device's key ID as the local ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
Peers exchange local IDs for identifying each other in negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Use IP address 2.2.2.2 as the local ID.
[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2
Related commands
peer
ikev2 address-group
Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers.
Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.
Syntax
ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]
undo ikev2 address-group group-name [ start-ipv4-address [ end-ipv4-address ] ]
Default
No IKEv2 IPv4 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.
start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.
mask: Specifies the IPv4 address mask.
mask-length: Specifies the length of the IPv4 address mask.
Usage guidelines
An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.
Follow these guidelines when you delete IKEv2 IPv4 address pools:
· To delete all IPv4 address pools with a designated group name, use the undo ikev2 address-group group-name command.
· To delete an IPv4 address pool that contains only one IP address, use the undo ikev2 address-group group-name start-ipv4-address command.
· To delete a specific IPv4 address pool, use the ikev2 address-group group-name start-ipv4-address end-ipv4-address command.
· If the IPv4 address pool with the specified name and address range does not exist, no address group will be deleted.
Examples
# Configure an IKEv2 IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask 255.255.255.0.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0
# Configure an IKEv2 IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask length 32.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32
# Delete IKEv2 IPv4 address pool ipv4group with address range 1.1.1.1 to 1.1.1.2.
<Sysname> system-view
[Sysname] undo ikev2 address-group ipv4group 1.1.1.1 1.1.1.2
Related commands
address-group
ikev2 cookie-challenge
Use ikev2 cookie-challenge to enable the cookie challenging feature.
Use undo ikev2 cookie-challenge to disable the cookie challenging feature.
Syntax
ikev2 cookie-challenge number
undo ikev2 cookie-challenge
Default
The cookie challenging feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
ikev2 dpd
Use ikev2 dpd to configure global IKEv2 DPD.
Use undo ikev2 dpd to disable global IKEv2 DPD.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
The global IKEv2 DPD feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.
You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.
Examples
# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 on-demand
# Configure the device to trigger IKEv2 DPD every 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 periodic
Related commands
dpd (IKEv2 profile view)
ikev2 ipv6-address-group
Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.
Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.
Syntax
ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len
undo ikev2 ipv6-address-group group-name
Default
No IKEv2 IPv6 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.
prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range for the prefix-len argument is 1 to 128.
assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.
Usage guidelines
Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to other devices.
IKEv2 IPv6 address pools cannot overlap with each other.
Examples
# Configure an IKEv2 IPv6 address pool with name ipv6group, prefix 1:1::/64, and assigned prefix length 80.
<Sysname> system-view
[Sysname] ikev2 ipv6-address-group ipv6group prefix 1:1::/64 assign-len 80
Related commands
ipv6-address-group
ikev2 keychain
Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing IKEv2 keychain.
Use undo ikev2 keychain to delete an IKEv2 keychain.
Syntax
ikev2 keychain keychain-name
undo ikev2 keychain keychain-name
Default
No IKEv2 keychains exist.
Views
System view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses preshared key authentication. The preshared key configured on both ends must be the same.
You can configure multiple IKEv2 peers in an IKEv2 keychain.
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
[Sysname-ikev2-keychain-key1]
ikev2 nat-keepalive
Use ikev2 nat-keepalive to set the NAT keepalive interval.
Use undo ikev2 nat-keepalive to restore the default.
Syntax
ikev2 nat-keepalive seconds
undo ikev2 nat-keepalive
Default
The NAT keepalive interval is 10 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 nat-keepalive 5
ikev2 policy
Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2 policy.
Use undo ikev2 policy to delete an IKEv2 policy.
Syntax
ikev2 policy policy-name
undo ikev2 policy policy-name
Default
An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local addresses.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for negotiation.
You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2 proposal. Otherwise, the policy is incomplete.
If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2 policy by the IP address of the source interface.
You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.
If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it.
Examples
# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1]
Related commands
display ikev2 policy
ikev2 profile
Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2 profile.
Use undo ikev2 profile to delete an IKEv2 profile.
Syntax
ikev2 profile profile-name
undo ikev2 profile profile-name
Default
No IKEv2 profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity information and authentication methods of the peers, and the matching criteria for profile lookup.
Examples
# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1]
Related commands
display ikev2 profile
ikev2 proposal
Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing IKEv2 proposal.
Use undo ikev2 proposal to delete an IKEv2 proposal.
Syntax
ikev2 proposal proposal-name
undo ikev2 proposal proposal-name
Default
An IKEv2 proposal named default exists.
· Encryption algorithm—AES-CBC-128 and 3DES.
· Integrity protection algorithm—HMAC-SHA1 and HMAC-MD5.
· PRF algorithm—HMAC-SHA1 and HMAC-MD5.
· DH group—Group 5 and group 2.
Views
System view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive string of 1 to 63 characters and cannot be default.
Usage guidelines
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.
An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of different types combine and form multiple sets of security parameters. If you want to use only one set of security parameters, configure only one set of security parameters for the IKEv2 proposal.
Examples
# Create an IKEv2 proposal named prop1. Specify encryption algorithm AES-CBC-128, integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption aes-cbc-128
[Sysname-ikev2-proposal-prop1] integrity sha1
[Sysname-ikev2-proposal-prop1] prf sha1
[Sysname-ikev2-proposal-prop1] dh group2
Related commands
encryption-algorithm
integrity
prf
dh
inside-vrf
Use inside-vrf to specify an inside VPN instance.
Use undo inside-vrf to restore the default.
Syntax
inside-vrf vrf-name
undo inside-vrf
Default
No inside VPN instance is specified. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command determines where the device should forward received IPsec packets after it de-encapsulates them. If you configure this command, the device looks for a route in the specified VPN instance to forward the packets. If you do not configure this command, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify inside VPN instance vpn1.
[Sysname-ikev2-profile-profile1] inside-vrf vpn1
integrity
Use integrity to specify integrity protection algorithms for an IKEv2 proposal.
Use undo integrity to restore the default.
Syntax
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo integrity
Default
No integrity protection algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
md5: Specifies the HMAC-MD5 algorithm.
sha1: Specifies the HMAC-SHA1 algorithm.
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
Usage guidelines
You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] integrity sha1 md5
Related commands
ikev2 proposal
keychain
Use keychain to specify an IKEv2 keychain for preshared key authentication.
Use undo keychain to restore the default.
Syntax
keychain keychain-name
undo keychain
Default
No IKEv2 keychain is specified for an IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses preshared key authentication. You can specify only one IKEv2 keychain for an IKEv2 profile.
You can specify the same IKEv2 keychain for different IKEv2 profiles.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify IKEv2 keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
ikev2 keychain
match local (IKEv2 profile view)
Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied.
Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can be applied.
Syntax
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
undo match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
Default
An IKEv2 profile can be applied to any local interface or IP address.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.
interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
Use this command to specify which address or interface can use the IKEv2 profile for IKEv2 negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP address of the interface that receives IKEv2 packets.
An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured later a higher priority, you can configure the priority command or this command for the profile. For example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.
You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Apply IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.
[Sysname-ikev2-profile-profile1] match local address 2.2.2.2
Related commands
match remote
match local address (IKEv2 policy view)
Use match local address to specify a local interface or a local address that an IKEv2 policy matches.
Use undo match local address to remove a local interface or a local address that an IKEv2 policy matches.
Syntax
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
undo match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
Default
No local interface or local address is specified, and the IKEv2 policy matches any local interface or local address.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Examples
# Configure IKEv2 policy policy1 to match local address 3.3.3.3.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] match local address 3.3.3.3
Related commands
display ikev2 policy
match vrf
match remote
Use match remote to configure a peer ID that an IKEv2 profile matches.
Use undo match remote to delete a peer ID that an IKEv2 profile matches.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask |mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
Default
No matching peer ID is configured for the IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the identity local command.
· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32, and the default is 32.
· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
· address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKEv2 profile matching. The value range for the prefix-length argument is 0 to 128, and the default is 128.
· address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
· email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
· key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation.
If the device has the match remote, match vrf, and match local address commands configured, it uses the IKEv2 profile that matches all the criteria configured by the commands.
To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2 profile is selected for IKEv2 negotiation is unpredictable.
You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Configure the IKEv2 profile to match the peer ID that is FQDN name www.test.com.
[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com
# Configure the IKEv2 profile to match the peer ID that is IP address 10.1.1.1.
[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1
Related commands
identity local
match local address
match vrf
match vrf (IKEv2 policy view)
Use match vrf to specify a VPN instance that an IKEv2 policy matches.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
undo match vrf
Default
No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.
IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Examples
# Create an IKEv2 policy named policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
# Configure the IKEv2 policy to match VPN instance vpn1.
[Sysname-ikev2-policy-policy1] match vrf name vpn1
Related commands
display ikev2 policy
match local address
match vrf (IKEv2 profile view)
Use match vrf to specify a VPN instance for an IKEv2 profile.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
undo match vrf
Default
The IKEv2 profile belongs to the public network.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can use the IKEv2 profile for IKEv2 negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.
[Sysname-ikev2-profile-profile1] match vrf name vrf1
Related commands
match remote
nat-keepalive
Use nat-keepalive to set the NAT keepalive interval.
Use undo nat-keepalive to restore the default.
Syntax
nat-keepalive seconds
undo nat-keepalive
Default
The NAT keepalive interval set in system view is used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the NAT keepalive interval to 1200 seconds.
[Sysname-ikev2-profile-profile1]nat-keepalive 1200
Related commands
display ikev2 profile
ikev2 nat-keepalive
peer
Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.
Use undo peer to delete an IKEv2 peer.
Syntax
peer name
undo peer name
Default
No IKEv2 peers exist.
Views
IKEv2 keychain view
Predefined user roles
network-admin
Parameters
name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKEv2 peer contains a preshared key and the criteria for looking up the peer. The criteria for peer lookup includes the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation initiator uses the peer's host name, IP address, or IP address range to look up its peer. The responder uses the peer's IP address, IP address range, or ID to look up its peer.
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
Related commands
address
hostname
identity
ikev2 keychain
pre-shared-key
Use pre-shared-key to configure a preshared key.
Use undo pre-shared-key to delete a preshared key.
Syntax
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
undo pre-shared-key [ local | remote ]
Default
No preshared key exists.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
local: Specifies a preshared key for certificate signing.
remote: Specifies a preshared key for certificate authentication.
ciphertext: Specifies a preshared key in encrypted form.
plaintext: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. The key is case sensitive. Its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters.
Usage guidelines
If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither the local nor the remote keyword, you configure a symmetric key.
To delete a key by using the undo command, you must specify the correct key type. For example, if you configure a key by using the pre-shared-key local command, you cannot delete the key by using the undo pre-shared-key or undo pre-shared-key remote command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
· On the initiator:
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Configure 111-key as the symmetric plaintext preshared key.
[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-key1-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-key1] peer peer2
# Configure asymmetric plaintext preshared keys. The key for certificate signing is 111-key-a and the key for certificate authentication is 111-key-b.
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b
· On the responder:
# Create an IKEv2 keychain named telecom.
<Sysname> system-view
[Sysname] ikev2 keychain telecom
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-telecom] peer peer1
# Configure 111-key as the symmetric plaintext preshared key.
[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-telecom-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-telecom] peer peer2
# Configure asymmetric plaintext preshared keys. The key for certificate signing is 111-key-b and the key for certificate authentication is 111-key-a.
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext 111-key-b
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext 111-key-a
Related commands
ikev2 keychain
peer
prf
Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.
Use undo prf to restore the default.
Syntax
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo prf
Default
An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
md5: Specifies the HMAC-MD5 algorithm.
sha1: Specifies the HMAC-SHA1 algorithm.
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
Usage guidelines
You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] prf sha1 md5
Related commands
ikev2 proposal
integrity
priority (IKEv2 policy view)
Use priority to set a priority for an IKEv2 policy.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 policy is 100.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 policies.
Examples
# Set the priority to 10 for IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] priority 10
Related commands
display ikev2 policy
priority (IKEv2 profile view)
Use priority to set a priority for an IKEv2 profile.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 profile is 100.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 profiles.
Examples
# Set the priority to 10 for IKEv2 profile profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] priority 10
proposal
Use proposal to specify an IKEv2 proposal for an IKEv2 policy.
Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.
Syntax
proposal proposal-name
undo proposal proposal-name
Default
No IKEv2 proposal is specified for an IKEv2 policy.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
Examples
# Specify IKEv2 proposal proposal1 for IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] proposal proposal1
Related commands
display ikev2 policy
ikev2 proposal
reset ikev2 sa
Use reset ikev2 sa to delete IKEv2 SAs.
Syntax
reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]
Views
User view
Predefined user roles
network-admin
Parameters
local: Deletes IKEv2 SAs for a local IP address.
remote: Deletes IKEv2 SAs for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Deletes IKEv2 SAs in a VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command deletes IKEv2 SAs for the public network.
tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses.
Usage guidelines
Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.
If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.
Examples
# Display information about IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.
<Sysname> reset ikev2 sa remote 1.1.1.2
# Display information about IKEv2 SAs again. Verify that the IKEv2 SA is deleted.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Related commands
display ikev2 sa
reset ikev2 statistics
Use reset ikev2 statistics to clear IKEv2 statistics.
Syntax
reset ikev2 statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear IKEv2 statistics.
<Sysname> reset ikev2 statistics
Related commands
display ikev2 statistics
sa duration
Use sa duration to set the IKEv2 SA lifetime.
Use undo sa duration to restore the default.
Syntax
sa duration seconds
undo sa duration
Default
The IKEv2 SA lifetime is 86400 seconds.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.
Usage guidelines
An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect enough information and initiate attacks.
Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation. The peer with a shorter lifetime always initiates the rekeying.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the IKEv2 SA lifetime to 1200 seconds.
[Sysname-ikev2-profile-profile1] sa duration 1200
Related commands
display ikev2 profile
