Contents

IKEv2 commands· 1

aaa authorization· 1

address· 2

authentication-method· 3

certificate domain· 4

config-exchange· 5

dh· 6

display ikev2 policy· 7

display ikev2 profile· 8

display ikev2 proposal 9

display ikev2 sa· 10

display ikev2 statistics· 14

dpd· 15

encryption· 16

hostname· 17

identity· 18

identity local 19

ikev2 address-group· 20

ikev2 cookie-challenge· 21

ikev2 dpd· 22

ikev2 ipv6-address-group· 23

ikev2 keychain· 23

ikev2 nat-keepalive· 24

ikev2 policy· 25

ikev2 profile· 26

ikev2 proposal 26

inside-vrf 27

integrity· 28

keychain· 29

match local (IKEv2 profile view) 30

match local address (IKEv2 policy view) 31

match remote· 32

match vrf (IKEv2 policy view) 33

match vrf (IKEv2 profile view) 34

nat-keepalive· 35

peer 35

pre-shared-key· 36

prf 38

priority (IKEv2 policy view) 39

priority (IKEv2 profile view) 39

proposal 40

reset ikev2 sa· 41

reset ikev2 statistics· 42

sa duration· 42

IKEv2 commands

 

aaa authorization

Use aaa authorization to enable IKEv2 AAA authorization.

Use undo aaa authorization to disable IKEv2 AAA authorization.

Syntax

aaa authorization domain domain-name username user-name

undo aaa authorization

Default

IKEv2 AAA authorization is disabled.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:

·     The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

·     The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:

·     The username cannot contain the domain name.

·     The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

·     The username cannot be a, al, or all.

Usage guidelines

The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2 address pool, from AAA.

IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKEv2 passes the username authentication, it obtains the authorization attributes.

This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Enable AAA authorization. Specify ISP domain name abc and username test.

[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test

Related commands

display ikev2 profile

address

Use address to specify the IP address or IP address range of an IKEv2 peer.

Use undo address to restore the default.

Syntax

address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

undo address

Default

The IKEv2 peer's IP address or IP address range is not specified.

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the IKEv2 peer.

mask: Specifies the subnet mask of the IPv4 address.

mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.

ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

Usage guidelines

Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.

The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.

Examples

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify the IKEv2 peer's IP address 3.3.3.3 with subnet mask 255.255.255.0.

[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0

Related commands

ikev2 keychain

peer

authentication-method

Use authentication-method to specify the local or remote identity authentication method.

Use undo authentication-method to remove the local or remote identity authentication method.

Syntax

authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }

undo authentication-method local

undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature }

Default

No local or remote identity authentication method is specified.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

local: Specifies the local identity authentication method.

remote: Specifies the remote identity authentication method.

dsa-signature: Specifies the DSA signatures as the identity authentication method.

ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.

pre-share: Specifies the preshared key as the identity authentication method.

rsa-signature: Specifies the RSA signatures as the identity authentication method.

Usage guidelines

The local and remote identity authentication methods must both be specified and they can be different.

You can specify only one local identity authentication method. You can specify multiple remote identity authentication methods by executing this command multiple times when there are multiple remote ends whose authentication methods are unknown.

If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for obtaining certificates. You can specify PKI domains by using the certificate domain command in IKEv2 profile view. If you do not specify PKI domains in IKEv2 profile view, the PKI domains configured by the pki domain command in system view will be used.

If you specify the preshared key method, you must specify a preshared key for the IKEv2 peer in the keychain used by the IKEv2 profile.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify the preshared key and RSA signatures as the local and remote authentication methods, respectively.

[Sysname-ikev2-profile-profile1] authentication local pre-share

[Sysname-ikev2-profile-profile1] authentication remote rsa-signature

# Specify PKI domain genl as the PKI domain for obtaining certificates.

[Sysname-ikev2-profile-profile1] certificate domain genl

# Specify IKEv2 keychain keychain1.

[Sysname-ikev2-profile-profile1] keychain keychain1

Related commands

display ikev2 profile

certificate domain (IKEv2 profile view)

keychain (IKEv2 profile view)

certificate domain

Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.

Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.

Syntax

certificate domain domain-name [ sign | verify ]

undo certificate domain domain-name

Default

PKI domains configured in system view are used for signature authentication.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.

sign: Uses the local certificate in the PKI domain to generate a signature.

verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.

Usage guidelines

If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify purposes. You can specify a PKI domain for each purpose by executing this command multiple times. If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.

If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify PKI domain abc for signature. Specify PKI domain def for verification.

[Sysname-ikev2-profile-profile1] certificate domain abc sign

[Sysname-ikev2-profile-profile1] certificate domain def verify

Related commands

authentication-method

pki domain (Security Command Reference)

config-exchange

Use config-exchange to enable configuration exchange.

Use undo config-exchange to disable configuration exchange.

Syntax

config-exchange { request | set { accept | send } }

undo config-exchange { request | set { accept | send } }

Default

Configuration exchange is disabled.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

request: Enables the device to send request messages carrying the configuration request payload during the IKE_AUTH exchange.

set: Specifies the configuration set payload exchange.

accept: Enables the device to accept the configuration set payload carried in Info messages.

send: Enables the device to send Info messages carrying the configuration set payload.

Usage guidelines

The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response. The enterprise center can push IP addresses to branches. The branches can request IP addresses, but the requested IP addresses cannot be used.

You can specify both request and set for the device.

If you specify request for the local end, the remote end will respond if it can obtain the requested data through AAA authorization.

If you specify set send for the local end, you must specify set accept for the remote end.

The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not receive any configuration request from the peer.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Enable the local end to add the configuration request payload to the request message of IKE_AUTH exchange.

[Sysname-ikev2-profile-profile1] config-exchange request

Related commands

aaa authorization

display ikev2 profile

dh

Use dh to specify DH groups to be used in IKEv2 key negotiation.

Use undo group to restore the default.

Syntax

dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *

undo dh

Default

No DH group is specified for an IKEv2 proposal.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

group1: Uses the 768-bit Diffie-Hellman group.

group2: Uses the 1024-bit Diffie-Hellman group.

group5: Uses the 1536-bit Diffie-Hellman group.

group14: Uses the 2048-bit Diffie-Hellman group.

group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

group19: Uses the 256-bit ECP Diffie-Hellman group.

group20: Uses the 384-bit ECP Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.

You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.

You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority.

Examples

# Specify DH group 1 for IKEv2 proposal 1.

<Sysname> system-view

[Sysname] ikev2 proposal 1

[Sysname-ikev2-proposal-1] dh group1

Related commands

ikev2 proposal

display ikev2 policy

Use display ikev2 policy to display the IKEv2 policy configuration.

Syntax

display ikev2 policy [ policy-name | default ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.

default: Specifies the default IKEv2 policy.

Usage guidelines

If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.

Examples

# Display the configuration of all IKEv2 policies.

<Sysname> display ikev2 policy

IKEv2 policy: 1

  Priority: 100

  Match local address: 1.1.1.1

  Match local address ipv6: 1:1::1:1

  Match VRF: vpn1

  Proposal: 1

  Proposal: 2

IKEv2 policy: default

  Match VRF: any

  Proposal: default

Table 1 Command output

Field	Description
IKEv2 policy	Name of the IKEv2 policy.
Priority	Priority of the IKEv2 policy.
Match local address	IPv4 address to which the IKEv2 policy can be applied.
Match local address ipv6	IPv6 address to which the IKEv2 policy can be applied.
Match VRF	VPN instance to which the IKEv2 policy can be applied.
Proposal	IKEv2 proposal that the IKEv2 policy uses.

 

Related commands

ikev2 policy

display ikev2 profile

Use display ikev2 profile to display the IKEv2 profile configuration.

Syntax

display ikev2 profile [ profile-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.

Examples

# Display the configuration of all IKEv2 profiles.

<Sysname> display ikev2 profile

IKEv2 profile: 1

  Priority: 100

  Match criteria:

    Local address 1.1.1.1

    Local address Vlan-interface100

    Local address 1:1::1:1

    Remote identity ipv4 address 3.3.3.3/32

    VRF vrf1

  Inside-vrf:

  Local identity: address 1.1.1.1

  Local authentication method: pre-share

  Remote authentication methods: pre-share

  Keychain: Keychain1

  Sign certificate domain:

     Domain1

     abc

  Verify certificate domain:

     Domain2

     yy

  SA duration: 500

  DPD: Interval 32, retry 23, periodic

  Config-exchange: Request, Set send, Set accept

  NAT keepalive: 10

  AAA authorization: Domain domain1, username ikev2

Table 2 Command output

Field	Description
IKEv2 profile	Name of the IKEv2 profile.
Priority	Priority of the IKEv2 profile.
Match criteria	Criteria for looking up the IKEv2 profile.
Inside-vrf	Inside VPN instance.
Local identity	ID of the local end.
Local authentication method	Method that the local end uses for authentication.
Remote authentication methods	Methods that the remote end uses for authentication.
Keychain	IKEv2 keychain that the IKEv2 profile uses.
Sign certificate domain	PKI domain used for signature generation.
Verify certificate domain	PKI domain used for verifying the remote end's certificate.
SA duration	Lifetime of the IKEv2 SA.
DPD	DPD settings: ·     Detection interval in seconds. ·     Retry interval in seconds. ·     Detection mode, on demand or periodically. If DPD is disabled, this field displays Disabled.
Config-exchange	Configuration exchange settings: ·     Request—The local end sends request messages carrying the configuration request payload during the IKE_AUTH exchange. ·     Set accept—The local end accepts the configuration set payload carried in Info messages. ·     Set send—The local end sends Info messages carrying the configuration set payload.
NAT keepalive	NAT keepalive interval in seconds.
AAA authorization	AAA authorization settings: ·     ISP domain name. ·     Username.

 

Related commands

ikev2 profile

display ikev2 proposal

Use display ikev2 proposal to display the IKEv2 proposal configuration.

Syntax

display ikev2 proposal [ name | default ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.

default: Specifies the default IKEv2 proposal.

Usage guidelines

This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals.

Examples

# Display the configuration of all IKEv2 proposals.

<Sysname> display ikev2 proposal

IKEv2 proposal : 1

  Encryption: 3DES-CBC AES-CBC-128 AES-CTR-192 CAMELLIA-CBC-128

  Integrity: MD5 SHA256

  PRF: MD5 SHA256

  DH Group: MODP1024/Group2 MODP1536/Group5

 

IKEv2 proposal : default

  Encryption: AES-CBC-128 3DES-CBC

  Integrity: SHA1 MD5

  PRF: SHA1 MD5

  DH Group: MODP1536/Group5 MODP1024/Group2

Table 3 Command output

Field	Description
IKEv2 proposal	Name of the IKEv2 proposal.
Encryption	Encryption algorithms that the IKEv2 proposal uses.
Integrity	Integrity protection algorithms that the IKEv2 proposal uses.
PRF	PRF algorithms that the IKEv2 proposal uses.
DH Group	DH groups that the IKEv2 proposal uses.

 

Related commands

ikev2 proposal

display ikev2 sa

Use display ikev2 sa to display the IKEv2 SA information.

Syntax

display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

count: Displays the number of IKEv2 SAs.

local: Displays IKEv2 SA information for a local IP address.

remote: Displays IKEv2 SA information for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information about IKEv2 SAs for the public network.

verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.

tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKEv2 SAs.

Examples

# Display summary information about all IKEv2 SAs.

<Sysname> display ikev2 sa

     Tunnel ID          Local             Remote             Status

  --------------------------------------------------------------------

     1                  1.1.1.1/500       1.1.1.2/500        EST

     2                  2.2.2.1/500       2.2.2.2/500        EST

  Status:

  IN-NEGO: Negotiating, EST: Established, DEL: Deleting

# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2

     Tunnel ID          Local             Remote             Status

  --------------------------------------------------------------------

     1                  1.1.1.1/500       1.1.1.2/500        EST

  Status:

  IN-NEGO: Negotiating, EST: Established, DEL: Deleting

Table 4 Command output

Field	Description
Tunnel ID	ID of the IPsec tunnel to which the IKEv2 SA belongs.
Local	Local IP address of the IKEv2 SA.
Remote	Remote IP address of the IKEv2 SA.
Status	Status of the IKEv2 SA: ·     IN-NEGO (Negotiating)—The IKEv2 SA is under negotiation. ·     EST (Established)—The IKEv2 SA has been set up. ·     DEL (Deleting)—The IKEv2 SA is about to be deleted.

 

# Display detailed information about all IKEv2 SAs.

<Sysname> display ikev2 sa verbose

  Tunnel ID: 1

  Local IP/Port: 1.1.1.1/500

  Remote IP/Port: 1.1.1.2/500

  Outside VRF: -

  Inside VRF: -

  Local SPI: 8f8af3dbf5023a00

  Remote SPI: 0131565b9b3155fa

 

  Local ID type: FQDN

  Local ID: device_a

  Remote ID type: FQDN

  Remote ID: device_b

 

  Auth sign method: Pre-shared key

  Auth verify method: Pre-shared key

  Integrity algorithm: HMAC_MD5

  PRF algorithm: HMAC_MD5

  Encryption algorithm: AES-CBC-192

 

  Life duration: 86400 secs

  Remaining key duration: 85604 secs

  Diffie-Hellman group: MODP1024/Group2

  NAT traversal: Not detected

  DPD: Interval 20 secs, retry interval 2 secs

  Transmitting entity: Initiator

 

  Local window: 1

  Remote window: 1

  Local request message ID: 2

  Remote request message ID:2

  Local next message ID: 0

  Remote next message ID: 0

 

  Pushed IP address: 192.168.1.5

  Assigned IP address: 192.168.2.24

 

# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2 verbose

  Tunnel ID: 1

  Local IP/Port: 1.1.1.1/500

  Remote IP/Port: 1.1.1.2/500

  Outside VRF: -

  Inside VRF: -

  Local SPI: 8f8af3dbf5023a00

  Remote SPI: 0131565b9b3155fa

 

  Local ID type: FQDN

  Local ID: device_a

  Remote ID type: FQDN

  Remote ID: device_b

 

  Auth sign method: Pre-shared key

  Auth verify method: Pre-shared key

  Integrity algorithm: HMAC_MD5

  PRF algorithm: HMAC_MD5

  Encryption algorithm: AES-CBC-192

 

  Life duration: 86400 secs

  Remaining key duration: 85604 secs

  Diffie-Hellman group: MODP1024/Group2

  NAT traversal: Not detected

  DPD: Interval 30 secs, retry interval 10 secs

  Transmitting entity: Initiator

 

  Local window: 1

  Remote window: 1

  Local request message ID: 2

  Remote request message ID: 2

  Local next message ID: 0

  Remote next message ID: 0

 

  Pushed IP address: 192.168.1.5

  Assigned IP address: 192.168.2.24

Table 5 Command output

Field	Description
Tunnel ID	ID of the IPsec tunnel to which the IKEv2 SA belongs.
Local IP/Port	IP address and port number of the local security gateway.
Remote IP/Port	IP address and port number of the remote security gateway.
Outside VRF	Name of the VPN instance to which the protected outbound data flow belongs. If the protected outbound data flow belongs to the public network, this field displays a hyphen (-).
Inside VRF	Name of the VPN instance to which the protected inbound data flow belongs. If the protected inbound data flow belongs to the public network, this field displays a hyphen (-).
Local SPI	SPI that the local end uses.
Remote SPI	SPI that the remote end uses.
Local ID type	ID type of the local security gateway.
Local ID	ID of the local security gateway.
Remote ID type	ID type of the remote security gateway.
Remote ID	ID of the remote security gateway.
Auth sign method	Signature method that the IKEv2 proposal uses in authentication.
Auth verify method	Verification method that the IKEv2 proposal uses in authentication.
Integrity algorithm	Integrity protection algorithms that the IKEv2 proposal uses.
PRF algorithm	PRF algorithms that the IKEv2 proposal uses.
Encryption algorithm	Encryption algorithms that the IKEv2 proposal uses.
Life duration	Lifetime of the IKEv2 SA, in seconds.
Remaining key duration	Remaining lifetime of the IKEv2 SA, in seconds.
Diffie-Hellman group	DH groups used in IKEv2 key negotiation.
NAT traversal	Whether a NAT gateway is detected between the local and remote ends.
DPD	DPD settings: ·     Detection interval in seconds. ·     Retry interval in seconds. If DPD is disabled, this field displays Interval 0 secs, retry interval 0 secs.
Transmitting entity	Role of the local end in IKEv2 negotiation, initiator or responder.
Local window	Window size that the local end uses.
Remote window	Window size that the remote end uses.
Local request message ID	ID of the request message that the local end is about to send.
Remote request message ID	ID of the request message that the remote end is about to send.
Local next message ID	ID of the message that the local end expects to receive.
Remote next message ID	ID of the message that the remote end expects to receive.
Pushed IP address	IP address pushed to the local end by the remote end.
Assigned IP address	IP address assigned to the remote end by the local end .

 

# Display the number of IKEv2 SAs.

[Sysname] display ikev2 sa count

IKEv2 SAs count: 0

display ikev2 statistics

Use display ikev2 statistics to display IKEv2 statistics.

Syntax

display ikev2 statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display IKEv2 statistics.

<Sysname> display ikev2 statistics

IKEv2 statistics:

  Unsupported critical payload: 0

  Invalid IKE SPI: 0

  Invalid major version: 0

  Invalid syntax: 0

  Invalid message ID: 0

  Invalid SPI: 0

  No proposal chosen: 0

  Invalid KE payload: 0

  Authentication failed: 0

  Single pair required: 0

  TS unacceptable: 0

  Invalid selectors: 0

  Temporary failure: 0

  No child SA: 0

  Unknown other notify: 0

  No enough resource: 0

  Enqueue error: 0

  No IKEv2 SA: 0

  Packet error: 0

  Other error: 0

  Retransmit timeout: 0

  DPD detect error: 0

  Del child for IPsec message: 1

  Del child for deleting IKEv2 SA: 1

  Del child for receiving delete message: 0

Related commands

reset ikev2 statistics

dpd

Use dpd to configure IKEv2 DPD.

Use undo dpd to disable IKEv2 DPD.

Syntax

dpd interval interval [ retry seconds ] { on-demand | periodic }

undo dpd interval

Default

IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.

retry seconds Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.

Examples

# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] ikev2 profile profile1

[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand

Related commands

ikev2 dpd

encryption

Use encryption to specify encryption algorithms for an IKEv2 proposal.

Use undo encryption to restore the default.

Syntax

encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *

undo encryption

Default

No encryption algorithm is specified for an IKEv2 proposal.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.

aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.

aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.

aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key.

aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key.

aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key.

camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.

camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.

camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.

Usage guidelines

You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for IKE proposal prop1.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

[Sysname-ikev2-proposal-prop1] encryption 3des-cbc

Related commands

ikev2 proposal

hostname

Use hostname to specify the host name of an IKEv2 peer.

Use undo hostname to restore the default.

Syntax

hostname name

undo hostname

Default

The IKEv2 peer's host name is not specified.

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.

Usage guidelines

Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must use an IPsec policy.

Examples

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify host name test of the IKEv2 peer.

[Sysname-ikev2-keychain-key1-peer-peer1] hostname test

Related commands

ikev2 keychain

peer

identity

Use identity to specify the ID of an IKEv2 peer.

Use undo identity to restore the default.

Syntax

identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string }

undo identity

Default

The IKEv2 peer's ID is not specified.

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the peer.

ipv6 ipv6-address: Specifies the IPv6 address of the peer.

fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

email email-string: Specifies the email address of the peer. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].

key-id key-id-string: Specifies the remote gateway's key ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.

Usage guidelines

Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.

Examples

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.

[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2

Related commands

ikev2 keychain

peer

identity local

Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation..

Use undo identity local to restore the default.

Syntax

identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }

undo identity local

Default

No local ID is configured. The IP address of the interface to which the IPsec policy is applied is used as the local ID.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.

dn: Uses the DN in the local certificate as the local ID.

email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].

fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

key-id key-id-string: Uses the device's key ID as the local ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.

Usage guidelines

Peers exchange local IDs for identifying each other in negotiation.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Use IP address 2.2.2.2 as the local ID.

[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2

Related commands

peer

ikev2 address-group

Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers.

Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.

Syntax

ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]

undo ikev2 address-group group-name [ start-ipv4-address [ end-ipv4-address ] ]

Default

No IKEv2 IPv4 address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.

start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.

mask: Specifies the IPv4 address mask.

mask-length: Specifies the length of the IPv4 address mask.

Usage guidelines

An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.

Follow these guidelines when you delete IKEv2 IPv4 address pools:

·     To delete all IPv4 address pools with a designated group name, use the undo ikev2 address-group group-name command.

·     To delete an IPv4 address pool that contains only one IP address, use the undo ikev2 address-group group-name start-ipv4-address command.

·     To delete a specific IPv4 address pool, use the undo ikev2 address-group group-name start-ipv4-address end-ipv4-address command.

·     If the IPv4 address pool with the specified name and address range does not exist, no address group will be deleted.

Examples

# Configure an IKEv2 IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask 255.255.255.0.

<Sysname> system-view

[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0

# Configure an IKEv2 IPv4 address pool with name ipv4group, address range 1.1.1.1 to 1.1.1.2, and mask length 32.

<Sysname> system-view

[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32

# Delete IKEv2 IPv4 address pool ipv4group with address range 1.1.1.1 to 1.1.1.2.

<Sysname> system-view

[Sysname] undo ikev2 address-group ipv4group 1.1.1.1 1.1.1.2

Related commands

address-group

ikev2 cookie-challenge

Use ikev2 cookie-challenge to enable the cookie challenging feature.

Use undo ikev2 cookie-challenge to disable the cookie challenging feature.

Syntax

ikev2 cookie-challenge number

undo ikev2 cookie-challenge

Default

The cookie challenging feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs.

Usage guidelines

When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.

This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.

Examples

# Enable the cookie challenging feature and set the threshold to 450.

<Sysname> system-view

[Sysname] ikev2 cookie-challenge 450

ikev2 dpd

Use ikev2 dpd to configure global IKEv2 DPD.

Use undo ikev2 dpd to disable global IKEv2 DPD.

Syntax

ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }

undo ikev2 dpd interval

Default

The global IKEv2 DPD feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.

retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.

You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.

Examples

# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for 15 seconds.

<Sysname> system-view

[Sysname] ikev2 dpd interval 15 on-demand

# Configure the device to trigger IKEv2 DPD every 15 seconds.

<Sysname> system-view

[Sysname] ikev2 dpd interval 15 periodic

Related commands

dpd (IKEv2 profile view)

ikev2 ipv6-address-group

Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.

Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.

Syntax

ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len

undo ikev2 ipv6-address-group group-name

Default

No IKEv2 IPv6 address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.

prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range for the prefix-len argument is 1 to 128.

assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.

Usage guidelines

Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to other devices.

IKEv2 IPv6 address pools cannot overlap with each other.

Examples

# Configure an IKEv2 IPv6 address pool with name ipv6group, prefix 1:1::/64, and assigned prefix length 80.

<Sysname> system-view

[Sysname] ikev2 ipv6-address-group ipv6group prefix 1:1::/64 assign-len 80

Related commands

ipv6-address-group

ikev2 keychain

Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing IKEv2 keychain.

Use undo ikev2 keychain to delete an IKEv2 keychain.

Syntax

ikev2 keychain keychain-name

undo ikev2 keychain keychain-name

Default

No IKEv2 keychains exist.

Views

System view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).

Usage guidelines

An IKEv2 keychain is required on both ends if either end uses preshared key authentication. The preshared key configured on both ends must be the same.

You can configure multiple IKEv2 peers in an IKEv2 keychain.

Examples

# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.

<Sysname> system-view

[Sysname] ikev2 keychain key1

[Sysname-ikev2-keychain-key1]

ikev2 nat-keepalive

Use ikev2 nat-keepalive to set the NAT keepalive interval.

Use undo ikev2 nat-keepalive to restore the default.

Syntax

ikev2 nat-keepalive seconds

undo ikev2 nat-keepalive

Default

The NAT keepalive interval is 10 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.

Usage guidelines

This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ikev2 nat-keepalive 5

ikev2 policy

Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2 policy.

Use undo ikev2 policy to delete an IKEv2 policy.

Syntax

ikev2 policy policy-name

undo ikev2 policy policy-name

Default

An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local addresses.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for negotiation.

You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2 proposal. Otherwise, the policy is incomplete.

If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2 policy by the IP address of the source interface.

You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.

If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it.

Examples

# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1]

Related commands

display ikev2 policy

ikev2 profile

Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2 profile.

Use undo ikev2 profile to delete an IKEv2 profile.

Syntax

ikev2 profile profile-name

undo ikev2 profile profile-name

Default

No IKEv2 profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity information and authentication methods of the peers, and the matching criteria for profile lookup.

Examples

# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.

<Sysname> system-view

[Sysname] ikev2 profile profile1

[Sysname-ikev2-profile-profile1]

Related commands

display ikev2 profile

ikev2 proposal

Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing IKEv2 proposal.

Use undo ikev2 proposal to delete an IKEv2 proposal.

Syntax

ikev2 proposal proposal-name

undo ikev2 proposal proposal-name

Default

An IKEv2 proposal named default exists.

·     Encryption algorithm—AES-CBC-128 and 3DES.

·     Integrity protection algorithm—HMAC-SHA1 and HMAC-MD5.

·     PRF algorithm—HMAC-SHA1 and HMAC-MD5.

·     DH group—Group 5 and group 2.

Views

System view

Predefined user roles

network-admin

Parameters

proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive string of 1 to 63 characters and cannot be default.

Usage guidelines

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.

An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of different types combine and form multiple sets of security parameters. If you want to use only one set of security parameters, configure only one set of security parameters for the IKEv2 proposal.

Examples

# Create an IKEv2 proposal named prop1. Specify encryption algorithm AES-CBC-128, integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

[Sysname-ikev2-proposal-prop1] encryption aes-cbc-128

[Sysname-ikev2-proposal-prop1] integrity sha1

[Sysname-ikev2-proposal-prop1] prf sha1

[Sysname-ikev2-proposal-prop1] dh group2

Related commands

encryption-algorithm

integrity

prf

dh

inside-vrf

Use inside-vrf to specify an inside VPN instance.

Use undo inside-vrf to restore the default.

Syntax

inside-vrf vrf-name

undo inside-vrf

Default

No inside VPN instance is specified. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

This command determines where the device should forward received IPsec packets after it de-encapsulates them. If you configure this command, the device looks for a route in the specified VPN instance to forward the packets. If you do not configure this command, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify inside VPN instance vpn1.

[Sysname-ikev2-profile-profile1] inside-vrf vpn1

integrity

Use integrity to specify integrity protection algorithms for an IKEv2 proposal.

Use undo integrity to restore the default.

Syntax

integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo integrity

Default

No integrity protection algorithm is specified for an IKEv2 proposal.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

md5: Specifies the HMAC-MD5 algorithm.

sha1: Specifies the HMAC-SHA1 algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

Usage guidelines

You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Create an IKEv2 proposal named prop1.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1 preferred.

[Sysname-ikev2-proposal-prop1] integrity sha1 md5

Related commands

ikev2 proposal

keychain

Use keychain to specify an IKEv2 keychain for preshared key authentication.

Use undo keychain to restore the default.

Syntax

keychain keychain-name

undo keychain

Default

No IKEv2 keychain is specified for an IKEv2 profile.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).

Usage guidelines

An IKEv2 keychain is required on both ends if either end uses preshared key authentication. You can specify only one IKEv2 keychain for an IKEv2 profile.

You can specify the same IKEv2 keychain for different IKEv2 profiles.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify IKEv2 keychain keychain1.

[Sysname-ikev2-profile-profile1] keychain keychain1

Related commands

display ikev2 profile

ikev2 keychain

match local (IKEv2 profile view)

Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied.

Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can be applied.

Syntax

match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }

undo match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }

Default

An IKEv2 profile can be applied to any local interface or IP address.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.

interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

Use this command to specify which address or interface can use the IKEv2 profile for IKEv2 negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP address of the interface that receives IKEv2 packets.

An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured later a higher priority, you can configure the priority command or this command for the profile. For example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.

You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Apply IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.

[Sysname-ikev2-profile-profile1] match local address 2.2.2.2

Related commands

match remote

match local address (IKEv2 policy view)

Use match local address to specify a local interface or a local address that an IKEv2 policy matches.

Use undo match local address to remove a local interface or a local address that an IKEv2 policy matches.

Syntax

match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }

undo match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }

Default

No local interface or local address is specified, and the IKEv2 policy matches any local interface or local address.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

IKEv2 policies with this command configured are looked up before those that do not have this command configured.

Examples

# Configure IKEv2 policy policy1 to match local address 3.3.3.3.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1] match local address 3.3.3.3

Related commands

display ikev2 policy

match vrf

match remote

Use match remote to configure a peer ID that an IKEv2 profile matches.

Use undo match remote to delete a peer ID that an IKEv2 profile matches.

Syntax

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }

undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask |mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }

Default

No matching peer ID is configured for the IKEv2 profile.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.

identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the identity local command.

·     address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32, and the default is 32.

·     address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.

·     address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKEv2 profile matching. The value range for the prefix-length argument is 0 to 128, and the default is 128.

·     address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.

·     fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

·     email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].

·     key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.

Usage guidelines

The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation.

If the device has the match remote, match vrf, and match local address commands configured, it uses the IKEv2 profile that matches all the criteria configured by the commands.

To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2 profile is selected for IKEv2 negotiation is unpredictable.

You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a higher priority.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Configure the IKEv2 profile to match the peer ID that is FQDN name www.test.com.

[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com

# Configure the IKEv2 profile to match the peer ID that is IP address 10.1.1.1.

[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1

Related commands

identity local

match local address

match vrf

match vrf (IKEv2 policy view)

Use match vrf to specify a VPN instance that an IKEv2 policy matches.

Use undo match vrf to restore the default.

Syntax

match vrf { name vrf-name | any }

undo match vrf

Default

No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

any: Specifies the public network and all VPN instances.

Usage guidelines

Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.

IKEv2 policies with this command configured are looked up before those that do not have this command configured.

Examples

# Create an IKEv2 policy named policy1.

<Sysname> system-view

[Sysname] ikev2 policy policy1

# Configure the IKEv2 policy to match VPN instance vpn1.

[Sysname-ikev2-policy-policy1] match vrf name vpn1

Related commands

display ikev2 policy

match local address

match vrf (IKEv2 profile view)

Use match vrf to specify a VPN instance for an IKEv2 profile.

Use undo match vrf to restore the default.

Syntax

match vrf { name vrf-name | any }

undo match vrf

Default

The IKEv2 profile belongs to the public network.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

any: Specifies the public network and all VPN instances.

Usage guidelines

If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can use the IKEv2 profile for IKEv2 negotiation.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.

[Sysname-ikev2-profile-profile1] match vrf name vrf1

Related commands

match remote

nat-keepalive

Use nat-keepalive to set the NAT keepalive interval.

Use undo nat-keepalive to restore the default.

Syntax

nat-keepalive seconds

undo nat-keepalive

Default

The NAT keepalive interval set in system view is used.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.

Usage guidelines

This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Set the NAT keepalive interval to 1200 seconds.

[Sysname-ikev2-profile-profile1]nat-keepalive 1200

Related commands

display ikev2 profile

ikev2 nat-keepalive

peer

Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.

Use undo peer to delete an IKEv2 peer.

Syntax

peer name

undo peer name

Default

No IKEv2 peers exist.

Views

IKEv2 keychain view

Predefined user roles

network-admin

Parameters

name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IKEv2 peer contains a preshared key and the criteria for looking up the peer. The criteria for peer lookup includes the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation initiator uses the peer's host name, IP address, or IP address range to look up its peer. The responder uses the peer's IP address, IP address range, or ID to look up its peer.

Examples

# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

Related commands

address

hostname

identity

ikev2 keychain

pre-shared-key

Use pre-shared-key to configure a preshared key.

Use undo pre-shared-key to delete a preshared key.

Syntax

pre-shared-key [ local | remote ] { ciphertext | plaintext } string

undo pre-shared-key [ local | remote ]

Default

No preshared key exists.

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

local: Specifies a preshared key for certificate signing.

remote: Specifies a preshared key for certificate authentication.

ciphertext: Specifies a preshared key in encrypted form.

plaintext: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the preshared key. The key is case sensitive. Its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters.

Usage guidelines

If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither the local nor the remote keyword, you configure a symmetric key.

To delete a key by using the undo command, you must specify the correct key type. For example, if you configure a key by using the pre-shared-key local command, you cannot delete the key by using the undo pre-shared-key or undo pre-shared-key remote command.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

·     On the initiator:

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Configure 111-key as the symmetric plaintext preshared key.

[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key

[Sysname-ikev2-keychain-key1-peer-peer1] quit

# Create an IKEv2 peer named peer2.

[Sysname-ikev2-keychain-key1] peer peer2

# Configure asymmetric plaintext preshared keys. The key for certificate signing is 111-key-a and the key for certificate authentication is 111-key-b.

[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a

[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b

·     On the responder:

# Create an IKEv2 keychain named telecom.

<Sysname> system-view

[Sysname] ikev2 keychain telecom

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-telecom] peer peer1

# Configure 111-key as the symmetric plaintext preshared key.

[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key

[Sysname-ikev2-keychain-telecom-peer-peer1] quit

# Create an IKEv2 peer named peer2.

[Sysname-ikev2-keychain-telecom] peer peer2

# Configure asymmetric plaintext preshared keys. The key for certificate signing is 111-key-b and the key for certificate authentication is 111-key-a.

[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext 111-key-b

[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext 111-key-a

Related commands

ikev2 keychain

peer

prf

Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.

Use undo prf to restore the default.

Syntax

prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo prf

Default

An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

md5: Specifies the HMAC-MD5 algorithm.

sha1: Specifies the HMAC-SHA1 algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

Usage guidelines

You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Create an IKEv2 proposal named prop1.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.

[Sysname-ikev2-proposal-prop1] prf sha1 md5

Related commands

ikev2 proposal

integrity

priority (IKEv2 policy view)

Use priority to set a priority for an IKEv2 policy.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKEv2 policy is 100.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number represents a higher priority.

Usage guidelines

The priority set by this command can only be used to adjust the match order of IKEv2 policies.

Examples

# Set the priority to 10 for IKEv2 policy policy1.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1] priority 10

Related commands

display ikev2 policy

priority (IKEv2 profile view)

Use priority to set a priority for an IKEv2 profile.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKEv2 profile is 100.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number represents a higher priority.

Usage guidelines

The priority set by this command can only be used to adjust the match order of IKEv2 profiles.

Examples

# Set the priority to 10 for IKEv2 profile profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

[Sysname-ikev2-profile-profile1] priority 10

proposal

Use proposal to specify an IKEv2 proposal for an IKEv2 policy.

Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.

Syntax

proposal proposal-name

undo proposal proposal-name

Default

No IKEv2 proposal is specified for an IKEv2 policy.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.

Examples

# Specify IKEv2 proposal proposal1 for IKEv2 policy policy1.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1] proposal proposal1

Related commands

display ikev2 policy

ikev2 proposal

reset ikev2 sa

Use reset ikev2 sa to delete IKEv2 SAs.

Syntax

reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]

Views

User view

Predefined user roles

network-admin

Parameters

local: Deletes IKEv2 SAs for a local IP address.

remote: Deletes IKEv2 SAs for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Deletes IKEv2 SAs in a VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command deletes IKEv2 SAs for the public network.

tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses.

Usage guidelines

Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.

If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.

Examples

# Display information about IKEv2 SAs.

<Sysname> display ikev2 sa

     Tunnel ID          Local             Remote             Status

  --------------------------------------------------------------------

     1                  1.1.1.1/500       1.1.1.2/500        EST

     2                  2.2.2.1/500       2.2.2.2/500        EST

  Status:

  IN-NEGO: Negotiating, EST: Established, DEL: Deleting   

# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.

<Sysname> reset ikev2 sa remote 1.1.1.2

# Display information about IKEv2 SAs again. Verify that the IKEv2 SA is deleted.

<Sysname> display ikev2 sa

     Tunnel ID          Local             Remote             Status

  --------------------------------------------------------------------

     2                  2.2.2.1/500       2.2.2.2/500        EST

  Status:

  IN-NEGO: Negotiating, EST: Established, DEL: Deleting   

Related commands

display ikev2 sa

reset ikev2 statistics

Use reset ikev2 statistics to clear IKEv2 statistics.

Syntax

reset ikev2 statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear IKEv2 statistics.

<Sysname> reset ikev2 statistics

Related commands

display ikev2 statistics

sa duration

Use sa duration to set the IKEv2 SA lifetime.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The IKEv2 SA lifetime is 86400 seconds.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.

Usage guidelines

An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect enough information and initiate attacks.

Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation. The peer with a shorter lifetime always initiates the rekeying.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Set the IKEv2 SA lifetime to 1200 seconds.

[Sysname-ikev2-profile-profile1] sa duration 1200

Related commands

display ikev2 profile