R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

311

312

313

314

315

316

317

318

319

320

297

Parameters

address local: Uses the local identity information for IKEv2 profile matching. A responder using the RSA

digital signature authentication method uses its local identity information to search for an IKEv2 profile

and to initiate the certificate request. When the device works as a responder and uses the RSA digital

signature authentication method, you must specify this keyword and the interface or IP address you

specified for this keyword must be the interface to which the IPsec policy is applied, or the primary

address of the interface.

• 　ipv4-address: Specifies a local IPv4 address.

• ipv6-address: Specifies a local IPv6 address.

• 　interface interface-type interface-number: Specifies a local interface.

certificate access-control-policy string: Uses a certificate access control policy and the subject name in

the initiator's digital certificate for IKEv2 profile matching. A match is found when the subject name meets

the certificate access control policy. The string argument is a string of 1 to 32 characters. For more

information about the certificate and certificate access control policy, see the Security Configuration

Guide.

identity remote: Uses the remote identity information for IKEv2 profile matching. A responder uses the

configured remote identity information and the A match is found when the identify information

configured on the initiator by using the identity local command meets this matching criterion.

• 　address ipv4-address [ mask-length ]: Remote IPv4 address or address range. The mask length is

in the range of 1 to 32.

• 　ipv6 ipv6-address [ prefix-length ]: Specifies a remote IPv6 address or address range. The prefix

length is in the range of 0 to 128.

• email email-string: Specifies a remote email address, a case-sensitive string of 1 to 255 characters

in the format defined by RFC 822, such as sec@test.com.

• fqdn fqdn-name: Specifies a remote FQDN, a case-sensitive string of 1 to 255 characters, such as

www.test.com.

• 　key-id key-id: Specifies a remote key ID, a case-sensitive string of 1 to 255 characters. It is usually

a vendor-specific string for doing proprietary types of identification.

Usage guidelines

This configuration is only required on an IKEv2 negotiation responder. A responder uses its IKEv2 profile

matching criteria to search for an IKEv2 profile. The initiator does not require this configuration; it uses

the IKEv2 profile specified in the IPsec policy.

You can specify multiple matching criteria for an IKEv2 profile. Criteria of the same type are ORed,

whereas those of different types are ANDed. A match must meet one criterion of each specified type.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Configure the IKEv2 profile matching criteria.

[Sysname-ikev2-profile-profile1] match address local 3.3.3.3

[Sysname-ikev2-profile-profile1] match address local 4.4.4.4

[Sysname-ikev2-profile-profile1] match identity remote fqdn www.test.com

With these configuration, a match must use the local IP address 3.3.3.3 or 4.4.4.4, and the remote

FQDN www.test.com.