Configuring an IKE peer

For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:

To configure an IKE peer:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IKE peer and enter IKE peer view.

ike peer peer-name

N/A

3. Specify the IKE negotiation mode for phase 1.

exchange-mode main

Optional.

The default is main.

4. Specify the IKE proposals for the IKE peer to reference.

proposal proposal-number&<1-6>

Optional.

By default, an IKE peer references no IKE proposals, and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.

5. Configure the pre-shared key for pre-shared key authentication.

pre-shared-key [ cipher key ]

Configure either command according to the authentication method for the IKE proposal.

6. Configure the PKI domain for digital signature authentication.

certificate domain domain-name

7. Select the ID type for IKE negotiation phase 1.

id-type { ip | name | user-fqdn }

Optional.

ip by default.

8. Configure the names of the two ends.

  • Specify a name for the local security gateway:local-name name

  • Configure the name of the remote security gateway:remote-name name

Optional.

By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used.

The remote gateway name configured with remote-name command on the local gateway must be identical to the local name configured with the local-name command on the peer.

9. Configure the IP addresses of the two ends.

  • Specify an IP address for the local gateway:local-address ip-address

  • Configure the IP addresses of the remote gateway:remote-address { hostname [ dynamic ] | low-ip-address [ high-ip-address ] }

Optional.

By default, it is the primary IP address of the interface referencing the security policy.

The remote IP address configured with the remote-address command on the local gateway must be identical to the local IP address configured with the local-address command on the peer.

10. Enable the NAT traversal function for IPsec/IKE.

nat traversal

Optional.

Disabled by default.

11. Apply a DPD detector to the IKE peer.

dpd dpd-name

Optional.

No DPD detector is applied to an IKE peer by default.

For more information about DPD configuration, see "Configuring a DPD detector."


[NOTE: ]

NOTE:

After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.