R2511-HP MSR Router Series Security Command Reference(V5)
300
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1
# Create an IKEv2 peer named peer1.
Related commands
• address
• hostname
• identity
• pre-shared-key (IKEv2 peer view)
pki domain (IKEv2 profile view)
Use pki domain to specify a PKI domain for an IKEv2 profile.
Use undo pki domain to remove a PKI domain specified for an IKEv2 profile.
Syntax
pki domain domain-name [ sign | verify ]
undo pki domain domain-name [ sign | verify ]
Views
IKEv2 profile view
Default command level
2: System level
Parameters
domain-name: Specifies the PKI domain name, a case-insensitive string of 1 to 15 characters.
sign: Uses the certificate of the PKI domain to generate a digital signature.
verify: Uses the certificate of the PKI domain to authenticate the digital signature of the peer.
Usage guidelines
If you specify no keyword in the pki domain command, the PKI domain is used for both purposes.
You can use the pki domain command repeatedly to specify a PKI domain for each purpose.
If the local end uses the RSA digital signature authentication method, you must configure a PKI domain
for certificate signing on the local end and a PKI domain for certificate verification on the remote end. If
the remote end uses the RSA digital signature authentication method, you must configure a PKI domain
for certificate signing on the remote end and a PKI domain for certificate verification on the local end.
Otherwise, IKEv2 negotiation will fail.
[Sysname-ikev2-profile-profile1] pki domain pki-local sign
[Sysname-ikev2-profile-profile1] pki domain pki-remote verify
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1