Configuring an IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
You can specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
You can specify a priority number for the IKE keychain. To determine the priority of an IKE keychain:
The device examines the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority.
If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority number has a higher priority.
If a tie still exists, the device prefers an IKE keychain configured earlier.
To configure the IKE keychain:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE keychain and enter its view. | ike keychain keychain-name [ vpn-instance vpn-instance-name ] | By default, no IKE keychains exist. |
3. Configure a pre-shared key. |
| By default, no pre-shared key is configured. For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file. |
4. (Optional.) Specify a local interface or IP address to which the IKE keychain can be applied. | match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] } | By default, an IKE keychain can be applied to any local interface or IP address. |
5. (Optional.) Specify a priority for the IKE keychain. | priority priority | The default priority is 100. |