beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 149

background image

137

Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key

authentication, the ID type must be IP address for main mode IKE negotiation and can be IP address,
FQDN, or user FQDN for aggressive mode IKE negotiation.

Specify the name or IP address of the local security gateway. You perform this task only when you
want to specify a special address, a loopback interface address, for example, as the local security

gateway address.

Specify the name or IP address of the remote security gateway. For the local end to initiate IKE
negotiation, you must specify the name or IP address of the remote security gateway on the local

end so the local end can find the remote end.

Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure NAT
traversal at the two ends of the IPsec tunnel, because one end may use a public address while the

other end uses a private address.

Specify the dead peer detection (DPD) detector for the IKE peer.

To configure an IKE peer:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE peer and
enter IKE peer view.

ike peer peer-name N/A

3.

Specify the IKE negotiation
mode for phase 1.

exchange-mode { aggressive |
main }

Optional.
The default IKE negotiation mode
for phase 1 is main.
The aggressive keyword is not
available for the FIPS mode.

4.

Specify the IKE proposals for
the IKE peer to reference.

proposal proposal-number&<1-6>

Optional.
By default, an IKE peer references
no IKE proposals, and, when

initiating IKE negotiation, it uses the

IKE proposals configured in system
view.

5.

Configure the pre-shared

key or PKI domain.

Configure the pre-shared key for
pre-shared key authentication:

pre-shared-key [ cipher |

simple ] key

Configure the PKI domain for

digital signature authentication:

certificate domain
domain-name

Configure either command
according to the authentication

method for the IKE proposal.
In FIPS mode, the shared key must

be a ciphertext string of at least 8
characters that must contain

uppercase letters, lowercase letters,

digits, and special characters.

6.

Select the ID type for IKE
negotiation phase 1.

id-type { ip | name | user-fqdn }

Optional.
The ID type for IKE negotiation

phase 1 is ip.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: