R2511-HP MSR Router Series Security Configuration Guide(V5)
229
Ste
p
Command
Remarks
2. Create an IKEv2 profile
and enter IKEv2 profile
view.
ikev2 profile profile-name By default, no IKEv2 profile exists.
3. Configure the local or
remote identity
authentication method.
authentication { local | remote }
{ pre-share | rsa-sig }
Optional.
By default, both the local end and
remote end use the pre-shared key
authentication method.
You can specify only one local identity
authentication method but can specify
multiple remote identity authentication
methods.
4. Configure the local
identity information.
identity local { address
{ ipv4-address | ipv6 ipv6-address }
| dn | email email-string | fqdn
fqdn-name | key-id key-id }
By default, no local identity
information is configured.
With the RSA digital signature
authentication method, you can
configure any type of identity
information. With the pre-shared key
authentication method, you cannot
configure a DN as the identity
information.
5. Specify a keyring.
keyring keyring-name
Required when either or both peers
use the pre-shared key authentication
method.
By default, an IKEv2 profile references
no keyring.
An IKEv2 profile can reference only
one keyring.
6. Specify the IKEv2 profile
matching criteria.
match { address local { ipv4-address
| interface interface-type
interface-number | ipv6
ipv6-address } | certificate
access-control-policy string | identity
remote { address { ipv4-address
[ mask-length ] | ipv6 ipv6-address
[ mask ] } | email email-string | fqdn
fqdn-name | key-id key-id } }
Required for the device to work as a
responder. When working as the
responder, the device uses these
criteria to search for an IKEv2 profile.
An initiator does not require this
configuration. It uses the IKEv2 profile
specified in the IPsec policy.
By default, no IKEv2 profile matching
criterion is configured.
If you specify multiple matching
criteria for an IKEv2 profile, the match
must meet one criterion of each
specified type.