H3C Technologies H3C SecPath F1000-E User Manual

130

Item

Description

Local ID Type

Select the local ID type for IKE negotiation phase 1. Options include:

•

IP Address—Uses an IP address as the ID in IKE negotiation.

•

FQDN—Uses the FQDN type as the ID in IKE negotiation. If this option is

selected, enter a name string without any at sign (@) for the local security

gateway, for example, foo.bar.com.

•

User FQDN—Uses a user FQDN type as the ID in IKE negotiation. If this

option is selected, enter a name string with an at sign (@) for the local

security gateway, for example, [email protected].

IMPORTANT:

In main mode, only the ID type of IP address can be used in IKE negotiation and

SA establishment.

Local IP Address

Enter the IP address of the local security gateway.
By default, it is the primary IP address of the interface referencing the security

policy. Configure this item when you want to specify a special address for the

local security gateway

IMPORTANT:

Normally, you do not need to specify the local IP address unless you want to
specify a special address, such as the loopback interface address. For the local

peer to act as the initiator, you need to configure the remote security gateway

name or IP address, so that the initiator can find the remote peer during the
negotiation.

Remote Gateway

•

IP Address

•

Hostname

Enter the IP address or host name of the remote security gateway.
You can specify an IP address or a range of IP addresses for the remote
gateway. If the local end is the initiator of IKE negotiation, it can have only one

remote IP address and its remote IP address must match the local IP address
configured on its peer. If the local end is the responder of IKE negotiation, it can

have more than one remote IP address and one of its remote IP addresses must

match the local IP address configured on its peer.
The host name of the remote gateway is the only identifier of the IPsec peer in the
network. The host name can be resolved into an IP address by the DNS server.

If host name is used, the local end can serve as the initiator of IKE negotiation.

Remote ID

Enter the name of the remote security gateway.
If the local ID type configured for the IKE negotiation initiator is FQDN or user
FQDN, the initiator sends its gateway name (IKE Local Name) to the responder

for identification. The responder then uses the locally configured remote

gateway name (Remote ID) to authenticate the initiator. Make sure that the

remote gateway name configured here is identical to the local gateway name
(IKE Local Name) configured on its peer.

Pre-Shared Key
PKI Domain

To use the authentication method of pre-shared key, select Pre-Shared Key and
then enter the pre-shared key in the following field.
To use the authentication method of RSA signature, select PKI Domain and then

select the PKI domain to which the certificate belongs in the following
drop-down box. Available PKI domains are those configured on the page you

enter by selecting VPN > Certificate Manager > Domain from the navigation

tree.

Enable DPD

Select the IKE DPD to be applied to the IKE peer.