Configuring an IKE peer
For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:
Specify the IKE negotiation mode (main mode) for the local end to use in IKE negotiation phase 1. When acting as the IKE negotiation responder, the local end uses the IKE negotiation mode of the remote end.
Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When acting as the responder, the local end uses the IKE proposals configured in system view for negotiation.
Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature authentication.
Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key authentication, the ID type must be IP address for main mode IKE negotiation.
Specify the name or IP address of the local security gateway. You perform this task only when you want to specify a special address, for example, a loopback interface address, as the local security gateway address.
Specify the name or IP address of the remote security gateway. For the local end to initiate IKE negotiation, you must specify the name or IP address of the remote security gateway on the local end so the local end can find the remote end.
Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure NAT traversal at the two ends of the IPsec tunnel, because one end may use a public address while the other end uses a private address.
Specify the dead peer detection (DPD) detector for the IKE peer.
To configure an IKE peer:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE peer and enter IKE peer view. | ike peer peer-name | N/A |
3. Specify the IKE negotiation mode for phase 1. | exchange-mode main | Optional. The default is main. |
4. Specify the IKE proposals for the IKE peer to reference. | proposal proposal-number&<1-6> | Optional. By default, an IKE peer references no IKE proposals, and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. |
5. Configure the pre-shared key for pre-shared key authentication. | pre-shared-key [ cipher key ] | Configure either command according to the authentication method for the IKE proposal. |
6. Configure the PKI domain for digital signature authentication. | certificate domain domain-name | |
7. Select the ID type for IKE negotiation phase 1. | id-type { ip | name | user-fqdn } | Optional. ip by default. |
8. Configure the names of the two ends. |
| Optional. By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used. The remote gateway name configured with remote-name command on the local gateway must be identical to the local name configured with the local-name command on the peer. |
9. Configure the IP addresses of the two ends. |
| Optional. By default, it is the primary IP address of the interface referencing the security policy. The remote IP address configured with the remote-address command on the local gateway must be identical to the local IP address configured with the local-address command on the peer. |
10. Enable the NAT traversal function for IPsec/IKE. | nat traversal | Optional. Disabled by default. |
11. Apply a DPD detector to the IKE peer. | dpd dpd-name | Optional. No DPD detector is applied to an IKE peer by default. For more information about DPD configuration, see "Configuring a DPD detector." |
NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. | ||