Configuring the global identity information
Follow these guidelines when you configure the global identity information for the local IKE:
The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.
When signature authentication is used, you can set any type of the identity information.
When pre-shared key authentication is used, you cannot set the DN as the identity.
To configure the global identity information:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Configure the global identity to be used by the local end. | ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] } | By default, the IP address of the interface to which the IPsec policy or IPsec policy template is applied is used as the IKE identity. |
3. (Optional.) Configure the local device to always obtain the identity information from the local certificate for signature authentication. | ike signature-identity from-certificate | By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN for signature authentication. |