Configuring an ike profile – H3C Technologies H3C S12500-X Series Switches User Manual

154

102B

Configuring an IKE profile

An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE profile,
you can do the following:

1.

Configure peer IDs. When an end needs to select an IKE profile, it matches the received peer ID
against the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the peer

ID for IKE negotiation.

2.

Configure the IKE keychain for the IKE proposals to use.

3.

Specify the negotiation mode (main or aggressive) that the device uses as the initiator. When the
device acts as the responder, it uses the IKE negotiation mode of the initiator.

4.

Specifies the IKE proposals that the device can use as the initiator. An IKE proposal specified
earlier has a higher priority. When the device acts as the responder, it uses the IKE proposals
configured in system view to match the IKE proposals received from the initiator. If no match is

found, the negotiation fails.

5.

Configure the local ID, the ID that the device uses to identify itself to the peer during IKE
negotiation.

6.

Configure the IKE DPD function to detect dead IKE peers. You can also configure this function in
system view. The IKE DPD settings configured in the IKE profile takes precedence over those

configured in system view.

7.

Specify a local interface or IP address for the IKE profile so the profile can be applied only to the

specified interface or IP address. For this task, specify the local address configured in IPsec policy
view (using the local-address command). If no local address is configured, specify the IP address

of the interface that references the IPsec policy.

8.

Specify a priority number for the IKE profile. To determine the priority of an IKE profile:

a.

The device examines the existence of the match local address command. An IKE profile with
the match local address command configured has a higher priority.

b.

If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority
number has a higher priority.

c.

If a tie still exists, the device prefers an IKE profile configured earlier.

To configure an IKE profile:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE profile and

enter its view.

ike profile profile-name

By default, no IKE profile is
configured.

3.

Configure a peer ID.

match remote { certificate policy-name
| identity { address { { ipv4-address

[ mask | mask-length ] | range
low-ipv4-address high-ipv4-address } |

ipv6 { ipv6-address [ prefix-length ] |

range low-ipv6-address
high-ipv6-address } } [ vpn-instance

vpn-name ] | fqdn fqdn-name |

user-fqdn user-fqdn-name } }

By default, an IKE profile has no
peer ID.
Each of the two peers must have

at least one peer ID configured.