beautypg.com

Configuring the global identity information – H3C Technologies H3C S6300 Series Switches User Manual

Page 269

background image

254

b.

If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority

number has a higher priority.

c.

If a tie still exists, the device prefers an IKE keychain configured earlier.

To configure the IKE keychain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE keychain and
enter its view.

ike keychain keychain-name

By default, no IKE keychain
exists.

3.

Configure a pre-shared key

(Release 2310).

pre-shared-key { address
{ ipv4-address [ mask | mask-length ] |

ipv6 ipv6-address [ prefix-length ] } |
hostname host-name } key { cipher

cipher-key | simple simple-key }

By default, no pre-shared key is
configured.
For security purposes, all
pre-shared keys, including those

configured in plain text, are

saved in cipher text to the

configuration file.

4.

Configure a pre-shared key
(Release 2311P04 and later

versions).

In non-FIPS mode:
pre-shared-key { address

{ ipv4-address [ mask |

mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname

host-name } key { cipher cipher-key

| simple simple-key }

In FIPS mode:

pre-shared-key { address

{ ipv4-address [ mask |
mask-length ] | ipv6 ipv6-address

[ prefix-length ] } | hostname

host-name } key [ cipher
cipher-key ]

By default, no pre-shared key is
configured.
For security purposes, all
pre-shared keys, including those

configured in plain text, are

saved in cipher text to the
configuration file.

5.

(Optional.) Specify a local

interface or IP address to
which the IKE keychain can

be applied.

match local address { interface-type
interface-number | { ipv4-address |

ipv6 ipv6-address } }

By default, an IKE keychain can
be applied to any local interface

or IP address.

6.

(Optional.) Specify a
priority for the IKE keychain. priority number

The default priority is 100.

Configuring the global identity information

Follow these guidelines when you configure the global identity information for the local IKE:

The global identity can be used by the device for all IKE SA negotiations, and the local identity (set
by the local-identity command) can be used only by the device that uses the IKE profile.

When signature authentication is used, you can set any type of the identity information.

When pre-shared key authentication is used, you cannot set the DN as the identity.

To configure the global identity information:

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: