Configuring an IKEv2 keychain

About IKEv2 keychain

An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.

An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host name, IP address or address range, or ID).

An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the matching criterion to search for a peer.

Procedure

  1. Enter system view.

    system-view

  2. Create an IKEv2 keychain and enter its view.

    ikev2 keychain keychain-name

  3. Create an IKEv2 peer and enter its view.

    peer name

  4. Configure a host name for the peer:

    hostname name

    By default, no host name is configured for an IKEv2 peer.

  5. Configure a host IP address or address range for the peer:

    address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

    By default, no host IP address or address range is configured for an IKEv2 peer.

    You must configure different host IP addresses/address ranges for different peers.

  6. Configure an ID for the peer:

    identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string }

    By default, no identity information is configured for an IKEv2 peer.

  7. Configure a pre-shared key for the peer.

    pre-shared-key [ local | remote ] { ciphertext | plaintext } string

    By default, an IKEv2 peer does not have a pre-shared key.