R21xx-HP FlexFabric 11900 Security Configuration Guide
180
b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority
number has a higher priority.
c. If a tie still exists, the device prefers an IKE profile configured earlier.
To configure an IKE profile:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE profile and
enter its view.
ike profile profile-name
By default, no IKE profile is
configured.
3. Configure a peer ID.
match remote { certificate policy-name
| identity { address { { ipv4-address
[ mask | mask-length ] | range
low-ipv4-address high-ipv4-address } |
ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address
high-ipv6-address } } [ vpn-instance
vpn-name ] | fqdn fqdn-name |
user-fqdn user-fqdn-name } }
By default, an IKE profile has no
peer ID.
Each of the two peers must have
at least one peer ID configured.
4. Specify the keychain for
pre-shared key
authentication.
keychain keychain-name
By default, no IKE keychain is
specified for an IKE profile.
5. Specify the IKE negotiation
mode for phase 1.
exchange-mode { aggressive | main }
By default, the main mode is
used during IKE negotiation
phase 1.
This command is only
applicable to non-FIPS mode. In
FIPS mode, the IKE negotiation
mode for IKE negotiation phase
1 is fixed to the main mode.
6. Specify the IKE proposals for
the IKE profile to reference.
proposal proposal-number&<1-6>
By default, an IKE profile
references no IKE proposals
and uses the IKE proposals
configured in system view for
IKE negotiation.
7. Configure the local ID.
local-identity { address { ipv4-address
| ipv6 ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
By default, no local ID is
configured for an IKE profile,
and an IKE profile uses the local
ID configured in system view. If
no local ID is configured in
system view either, the IP
address of the interface that the
IPsec policy or IPsec policy
template is applied to is used as
the local ID.