Configuring an IKEv2 policy

During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.

The device matches IKEv2 policies in the descending order of their priorities. To determine the priority of an IKEv2 policy:

  1. First, the device examines the existence of the match local address command. An IKEv2 policy with the match local address command configured has a higher priority.

  2. If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority number has a higher priority.

  3. If a tie still exists, the device prefers an IKEv2 policy configured earlier.

To configure an IKEv2 policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IKEv2 policy and enter IKEv2 policy view.

ikev2 policy policy-name

By default, an IKEv2 policy named default exists. This policy uses the default IKEv2 proposal and matches any local address.

3. Specify the local interface or address used for IKEv2 policy matching.

match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }

By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.

4. Specify a VPN instance for IKEv2 policy matching.

match vrf { name vrf-name | any }

By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches all local addresses in the public network.

5. Specify a IKEv2 proposal for the IKEv2 policy.

proposal proposal-name

By default, no IKEv2 proposal is specified for an IKEv2 policy.

6. Specify a priority for the IKEv2 policy.

priority priority

By default, the priority of an IKEv2 policy is 100.