R2511-HP MSR Router Series Security Command Reference(V5)
287
Parameters
max-in-negotiation-sa limit: Specifies the maximum number of half-open IKEv2 SAs, in the range of 1 to
2000. IKEv2 SAs being rekeyed are not counted in the number.
max-sa limit: Specifies the maximum number of established IKEv2 SAs at the local end, in the range of
100 to 20000. Rekeyed IKEv2 SAs are not counted in the number if the old ones are already counted.
Examples
# Set the maximum number of half-open IKEv2 SAs to 100.
<Sysname> system-view
[Sysname] ikev2 limit max-in-negotiation-sa 100
# Set the maximum number of established IKEv2 SAs to 5000.
<Sysname> system-view
[Sysname] ikev2 limit max-sa 5000
ikev2 policy
Use ikev2 policy to create an IKEv2 policy and enter IKEv2 policy view.
Use undo ikev2 policy to delete an IKEv2 policy.
Syntax
ikev2 policy policy-name
undo ikev2 policy policy-name
Default
The device has a system predefined IKEv2 policy named default. This policy uses the default IKEv2
proposal and matches any local address.
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies the IKEv2 policy name, a case-insensitive string of 1 to 32 characters. The name
cannot be default.
Usage guidelines
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address
of the local security gateway as the matching criterion. An IKEv2 policy uses IKEv2 proposals to indicate
the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for
negotiation.
An IKEv2 policy must have at least one IKEv2 proposal to be complete.
An IKEv2 policy might have multiple IKEv2 proposals and multiple local IP addresses for policy
matching.
An IKEv2 policy with no local IP address configured for policy matching matches any local IP addresses.
Between two IKEv2 policies with the same configuration, the one configured earlier has a higher priority.