R2511-HP MSR Router Series Security Configuration Guide(V5)
230
Ste
p
Command
Remarks
7. Specify the PKI domains.
pki domain domain-name [ sign |
verify ]
If the local end uses the RSA digital
signature authentication method, you
must configure a PKI domain for
certificate signing on the local end
and a PKI domain for certificate
verification on the remote end.
If the remote end uses the RSA digital
signature authentication method, you
must configure a PKI domain for
certificate signing on the remote end
and a PKI domain for certificate
verification on the local end.
By default, the existing PKI domains in
the system are used to authenticate
certificates.
8. Configure the DPD
function.
dpd interval { on-demand |
periodic }
Optional.
By default, IKEv2 DPD is disabled.
9. Set the IKEV2 SA lifetime.
lifetime seconds
Optional.
86400 seconds by default.
10. Set the IKEv2 NAT
keepalive interval.
nat keepalive seconds
Optional.
10 seconds by default.
11. Enable the device to
accept the IP address
allocation requests from
IKEv2 negotiation
initiators.
client configuration address respond
Optional.
By default, the device does not accept
the IP address allocation requests from
initiators.
This configuration is only intended for
an IKEv2 negotiation responder.
12. Enable the device to send
IP address allocation
requests.
connect auto
Optional.
By default, the device does not send IP
address allocation requests.
This configuration is only intended for
an IKEv2 negotiation initiator.
13. Specify the local address
pool.
{ ip-pool | ipv6-pool } pool-name
Optional.
By default, an IKEv2 profile references
no address pool.
14. Specify a mask length or
prefix length for the
address pool.
{ ip-mask mask-length | ipv6-mask
prefix-length }
Optional.
By default, the mask length of a local
IPv4 address pool referenced by an
IKEv2 profile is 32, and the prefix
length of a local IPv6 address pool
referenced by an IKEv2 profile is 128.