beautypg.com

H3C Technologies H3C S6300 Series Switches User Manual

Page 266

background image

251

8.

Specify a priority number for the IKE profile. To determine the priority of an IKE profile:

a.

First, the device examines the existence of the match local address command. An IKE profile
with the match local address command configured has a higher priority.

b.

If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority

number has a higher priority.

c.

If a tie still exists, the device prefers an IKE profile configured earlier.

To configure an IKE profile:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE profile and
enter its view.

ike profile profile-name

By default, no IKE profile is
configured.

3.

Configure a peer ID.

match remote { certificate policy-name
| identity { address { { ipv4-address
[ mask | mask-length ] | range

low-ipv4-address high-ipv4-address } |

ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address

high-ipv6-address } } | fqdn fqdn-name

| user-fqdn user-fqdn-name } }

By default, an IKE profile has no
peer ID.
Each of the two peers must have
at least one peer ID configured.

4.

Specify the keychain for
pre-shared key

authentication or the PKI

domain used to request a
certificate for digital

signature authentication.

To specify the keychain for
pre-shared key authentication:

keychain keychain-name

To specify the PKI domain used to

request a certificate for digital

signature authentication:

certificate domain domain-name

Configure at least one
command as required.
By default, no IKE keychain or

PKI domain is specified for an

IKE profile.

5.

Specify the IKE negotiation

mode for phase 1.

In non-FIPS mode:
exchange-mode { aggressive |

main }

In FIPS mode:

exchange-mode main

By default, the main mode is
used during IKE negotiation
phase 1.

6.

Specify the IKE proposals for
the IKE profile to reference.

proposal proposal-number&<1-6>

By default, an IKE profile

references no IKE proposals
and uses the IKE proposals

configured in system view for

IKE negotiation.

7.

Configure the local ID.

local-identity { address { ipv4-address
| ipv6 ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn

[ user-fqdn-name ] }

By default, no local ID is
configured for an IKE profile,
and an IKE profile uses the local

ID configured in system view. If

the local ID is not configured in
system view, the IKE profile uses

the IP address of the interface to

which the IPsec policy or IPsec
policy template is applied as

the local ID.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: