[x]

Configuring IKE > Configuring the global identity information

 

 Next

Configuring the global identity information

Restrictions and guidelines

The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.

When signature authentication is used, you can set any type of the identity information.

When pre-shared key authentication is used, you cannot set the DN as the identity.

Procedure

  1. Enter system view.

    system-view

  2. Configure the global identity to be used by the local end.

    ike identity { address { ipv4-address | ipv6 ipv6-address }| dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

    By default, the IP address of the interface to which the IPsec policy or IPsec policy template is applied is used as the IKE identity.

  3. (Optional.) Configure the local device to always obtain the identity information from the local certificate for signature authentication.

    ike signature-identity from-certificate

    By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication.

    Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN for signature authentication.

prev

 

up

 next

Configuring an IKE keychain 

home

 Configuring the IKE keepalive feature

© Copyright 2017 Hewlett Packard Enterprise Development LP