Configuring an IKEv2 policy
About IKEv2 policy selection mechanism
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.
If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an incomplete proposal, the IKE_SA_INIT exchange fails.
If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.
The device matches IKEv2 policies in the descending order of their priorities. To determine the priority of an IKEv2 policy:
First, the device examines the existence of the match local address command. An IKEv2 policy with the match local address command configured has a higher priority.
If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority number has a higher priority.
If a tie still exists, the device prefers an IKEv2 policy configured earlier.
Procedure
Enter system view.
system-view
Create an IKEv2 policy and enter its view.
ikev2 policy policy-name
By default, an IKEv2 policy named default exists.
Specify the local interface or address used for IKEv2 policy matching.
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.
Specify a VPN instance for IKEv2 policy matching.
match vrf { name vrf-name | any }
By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches all local addresses in the public network.
Specify an IKEv2 proposal for the IKEv2 policy.
proposal proposal-name
By default, no IKEv2 proposal is specified for an IKEv2 policy.
Specify a priority for the IKEv2 policy.
priority priority
By default, the priority of an IKEv2 policy is 100.