[x]

Configuring IKE > Configuring an IKE profile

 

 Next

Configuring an IKE profile

An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE profile, perform the following tasks:

  1. Configure peer IDs. When an end needs to select an IKE profile, it compares the received peer ID with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation.

  2. Configure the IKE keychain or PKI domain for the IKE proposals to use:

    • To use digital signature authentication, configure a PKI domain.

    • To use pre-shared key authentication, configure an IKE keychain.

  3. Specify the negotiation mode (main or aggressive) that the device uses as the initiator. When the device acts as the responder, it uses the IKE negotiation mode of the initiator.

  4. Specify the IKE proposals that the device can use as the initiator. An IKE proposal specified earlier has a higher priority. When the device acts as the responder, it uses the IKE proposals configured in system view to match the IKE proposals received from the initiator. If a match is not found, the negotiation fails.

  5. Configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation:

    • For digital signature authentication, the device can use an ID of any type. If the local ID is an IP address that is different from the IP address in the local certificate, the device uses the FQDN (the device name configured by using the sysname command) instead.

    • For pre-shared key authentication, the device can use an ID of any type other than the DN.

  6. Configure IKE DPD to detect dead IKE peers. You can also configure this feature in system view. The IKE DPD settings configured in the IKE profile view takes precedence over those configured in system view.

  7. Specify a local interface or IP address for the IKE profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

  8. Specify an inside VPN instance. This setting determines where the device should forward received IPsec protected data. If you specify an inside VPN instance, the device looks for a route in the specified VPN instance to forward the data. If you do not specify an inside VPN instance, the device looks for a route in the VPN instance where the receiving interface resides to forward the data.

  9. Specify a priority number for the IKE profile. To determine the priority of an IKE profile:

    1. First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority.

    2. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority.

    3. If a tie still exists, the device prefers an IKE profile configured earlier.

  10. Enable client authentication.

    Client authentication provides extended (XAUTH) authentication in IKE negotiation for secure remote access to an IPsec VPN.

    When networking an IPsec VPN for remote access, you can enable client authentication on the IPsec gateway. After the IKE phase-1 negotiation, the IPsec gateway uses AAA to perform client authentication on remote users. Remote users who provide the correct username and password pass authentication and continue with the negotiation. AAA configuration is also required on the IPsec gateway for client authentication. For more information about AAA, see "Configuring AAA."

  11. Enable AAA authorization.

    The AAA authorization feature enables IKE to request authorization attributes, such as the IKE IPv4 address pool, from AAA. IKE uses the address pool to assign IPv4 addresses to remote users. For more information about AAA authorization, see "Configuring AAA."

To configure an IKE profile:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IKE profile and enter its view.

ike profile profile-name

By default, no IKE profiles exist.

3. Configure a peer ID.

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }

By default, an IKE profile has no peer ID.

Each of the two peers must have at least one peer ID configured.

4. Specify the keychain for pre-shared key authentication or the PKI domain used to request a certificate for digital signature authentication.

  • To specify the keychain for pre-shared key authentication:keychain keychain-name

  • To specify the PKI domain used to request a certificate for digital signature authentication:certificate domain domain-name

Configure at least one command as required.

By default, no IKE keychain or PKI domain is specified for an IKE profile.

5. Specify the IKE negotiation mode for phase 1.

  • In non-FIPS mode:exchange-mode { aggressive | main }

  • In FIPS mode:exchange-mode main

By default, the main mode is used during IKE negotiation phase 1.

6. Specify IKE proposals for the IKE profile.

proposal proposal-number&<1-6>

By default, no IKE proposals are specified for an IKE profile and the IKE proposals configured in system view are used for IKE negotiation.

7. Configure the local ID.

local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

By default, no local ID is configured for an IKE profile, and an IKE profile uses the local ID configured in system view. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy or IPsec policy template is applied as the local ID.

8. (Optional.) Configure IKE DPD.

dpd interval interval [ retry seconds ] { on-demand | periodic }

By default, IKE DPD is not configured for an IKE profile and an IKE profile uses the DPD settings configured in system view. If IKE DPD is not configured in system view either, the device does not perform dead IKE peer detection.

9. (Optional.) Specify the local interface or IP address to which the IKE profile can be applied.

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

By default, an IKE profile can be applied to any local interface or IP address.

10. (Optional.) Specify an inside VPN instance.

inside-vpn vpn-instance vpn-instance-name

By default, no inside VPN instance is specified for an IKE profile, and the device forwards protected data to the VPN instance where the interface receiving the data resides.

11. (Optional.) Specify a priority for the IKE profile.

priority priority

By default, the priority of an IKE profile is 100.

12. (Optional.) Enable client authentication.

client authentication xauth

By default, client authentication is disabled.

13. (Optional.) Enable AAA authorization.

aaa authorization domain domain-name username user-name

By default, AAA authorization is disabled.

prev

 

up

 next

IKE configuration task list 

home

 Configuring an IKE proposal

© Copyright 2017 Hewlett Packard Enterprise Development LP