R2511-HP MSR Router Series Security Command Reference(V5)
286
Usage guidelines
For the device to work as an initiator, you must configure the peer's host name, host IP address, or
address range. For the device to work as a responder, you must configure the peer's host IP address,
address range, or ID.
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1
# Create a peer named peer1 for the keyring, configure the IP address range 3.3.3.0/24 as the identity
information of the peer, and set the pre-shared key to abcdef.
[Sysname-ikev2-keyring-keyr1] peer peer1
[Sysname-ikev2-keyring-keyr1-peer-peer1] address 3.3.3.0 255.255.255.0
[Sysname-ikev2-keyring-keyr1-peer-peer1] pre-shared-key abcdef
# Create a peer named peer2 for the keyring, configure the host IP address 3.3.3.3 as the identity
information of the peer, and set the pre-shared key to 123456 .
[Sysname-ikev2-keyring-keyr1] peer peer2
[Sysname-ikev2-keyring-keyr1-peer-peer2] address 3.3.3.3 255.255.255.255
[Sysname-ikev2-keyring-keyr1-peer-peer2] pre-shared-key 123456
With the previous configuration, when the device searches for a peer, it uses the IP address 3.3.3.3 as
the matching criterion, and will first find a fuzzy match (peer1) and then find an exact match (peer2) and
use the key 123456.
Related commands
• peer (IKEv2 keyring view)
• address
• hostname
• identity
ikev2 limit
Use ikev2 limit to set the maximum number of half-open IKEv2 SAs and the maximum number of
established IKEv2 SAs.
Use undo ikev2 limit to restore the defaults.
Syntax
ikev2 limit { max-in-negotiation-sa | max-sa } limit
undo ikev2 limit { max-in-negotiation-sa | max-sa }
Default
The maximum number of half-open IKEv2 SAs is 1000, and the maximum number of established IKEv2
SAs is 10000.
Views
System view
Default command level
2: System level