Configuring an IKEv2 keychain

An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.

An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host name, IP address or address range, or ID).

An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the matching criterion to search for a peer.

To configure an IKEv2 keychain:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IKEv2 keychain and enter IKEv2 keychain view.	ikev2 keychain keychain-name	By default, no IKEv2 keychains exist.
3. Create an IKEv2 peer and enter IKEv2 peer view.	peer name	By default, no IKEv2 peers exist.
4. Configure the information for identifying the IKEv2 peer.	To configure a host name for the peer:hostname host-name To configure a host IP address or address range for the peer:address { ipv4-address [ mask \| mask-length ] \| ipv6 ipv6-address [ prefix-length ] } To configure an ID for the peer: identity { address { ipv4-address \| ipv6 { ipv6-address } } \| fqdn fqdn-name \| email email-string \| key-id key-id-string }	By default, no hostname, host IP address, address range, or identity information is configured for an IKEv2 peer. You must configure different IP addresses/address ranges for different peers.
5. Configure a pre-shared key for the peer.	pre-shared-key [ local \| remote ] { ciphertext \| plaintext } string	By default, an IKEv2 peer does not have a pre-shared key.

prev	up	next
Configuring an IKEv2 proposal	home	Configure global IKEv2 parameters