Configuring an IKE keychain
About IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
You can specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
The device determines the priority of an IKE keychain as follows:
The device examines the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority.
If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority number has a higher priority.
If a tie still exists, the device prefers an IKE keychain configured earlier.
Procedure
Enter system view.
system-view
Create an IKE keychain and enter its view.
ike keychain keychain-name [ vpn-instance vpn-instance-name ]
Configure a pre-shared key.
In non-FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher | simple } string
In FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher string ]
By default, no pre-shared key is configured.
(Optional.) Specify a local interface or IP address to which the IKE keychain can be applied.
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
By default, an IKE keychain can be applied to any local interface or IP address.
(Optional.) Specify a priority for the IKE keychain.
priority priority
The default priority is 100.