Configuring an IKEv2 profile

An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an IKEv2 profile, perform the following tasks:

  1. Specify the local and remote identity authentication methods.

    The local and remote identity authentication methods must both be specified and they can be different. You can specify only one local identity authentication method and multiple remote identity authentication methods.

  2. Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:

    • To use digital signature authentication, configure a PKI domain.

    • To use pre-shared key authentication, configure an IKEv2 keychain.

  3. Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation:

    • For digital signature authentication, the device can use an ID of any type. If the local ID is an IP address that is different from the IP address in the local certificate, the device uses the FQDN as the local ID. The FQDN is the device name configured by using the sysname command.

    • For pre-shared key authentication, the device can use an ID of any type other than the DN.

  4. Configure peer IDs.

    The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2 profiles will be compared in descending order of their priorities.

  5. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

  6. Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile:

    1. First, the device examines the existence of the match local command. An IKEv2 profile with the match local command configured has a higher priority.

    2. If a tie exists, the device compares the priority numbers. An IKEv2 profile with a smaller priority number has a higher priority.

    3. If a tie still exists, the device prefers an IKEv2 profile configured earlier.

  7. Specify a VPN instance for the IKEv2 profile. The IKEv2 profile is used for IKEv2 negotiation only on the interfaces that belong to the VPN instance.

  8. Configure the IKEv2 SA lifetime.

    The local and remote ends can use different IKEv2 SA lifetimes. They do not negotiate the lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime expires.

  9. Configure IKEv2 DPD to detect dead IKEv2 peers. You can also configure this feature in system view. If you configure IKEv2 DPD in both views, the IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.

  10. Specify an inside VPN instance. This setting determines where the device should forward received IPsec packets after it de-encapsulates them. If you specify an inside VPN instance, the device looks for a route in the specified VPN instance to forward the packets. If you do not specify an inside VPN instance, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.

  11. Configure the NAT keepalive interval.

    Configure this task when the device is behind a NAT gateway. The device sends NAT keepalive packets regularly to its peer to prevent the NAT session from being aged because of no matching traffic.

  12. Enable the configuration exchange feature.

    The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response.

    This feature typically applies to scenarios where branches and the headquarters communicate through virtual tunnels.

    This feature enables the IPsec gateway at a branch to send IP address requests to the IPsec gateway at the headquarters. When the headquarters receives the request, it sends an IP address to the branch in the response packet. The headquarters can also actively push an IP address to the branch. The branch uses the allocated IP address as the IP address of the virtual tunnel to communicate with the headquarters.

  13. Enable AAA authorization.

    The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote users. For more information about AAA authorization, see "Configuring AAA."

To configure an IKEv2 profile:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IKEv2 profile and enter IKEv2 profile view.

ikev2 profile profile-name

By default, no IKEv2 profiles exist.

3. Configure the local and remote identity authentication methods.

authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }

By default, no local or remote identity authentication method is configured.

4. Specify a keychain.

keychain keychain-name

By default, no keychain is specified for an IKEv2 profile.

Perform this task when the pre-shared key authentication method is specified.

5. Specify a PKI domain.

certificate domain domain-name [ sign | verify ]

By default, the device uses PKI domains configured in system view.

Perform this task when the digital signature authentication method is specified.

6. Configure the local ID.

identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }

By default, no local ID is configured, and the device uses the IP address of the interface where the IPsec policy applies as the local ID.

7. Configure peer IDs.

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }

By default, no peer ID is configured.

You must configure a minimum of one peer ID on each of the two peers.

8. (Optional.) Specify the local interface or IP address to which the IKEv2 profile can be applied.

match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }

By default, an IKEv2 profile can be applied to any local interface or IP address.

9. (Optional.) Specify a priority for the IKEv2 profile.

priority priority

By default, the priority of an IKEv2 profile is 100.

10. (Optional.) Specify a VPN instance for the IKEv2 profile.

match vrf { name vrf-name | any }

By default, an IKEv2 profile belongs to the public network.

11. (Optional.) Set the IKEv2 SA lifetime for the IKEv2 profile.

sa duration seconds

By default, the IKEv2 SA lifetime is 86400 seconds.

12. (Optional.) Configure the DPD feature for the IKEv2 profile.

dpd interval interval [ retry seconds ] { on-demand | periodic }

By default, DPD is disabled for an IKEv2 profile. The global DPD settings in system view are used. If DPD is also disabled in system view, the device does not perform DPD.

13. (Optional.) Specify an inside VPN instance for the IKEv2 profile.

inside-vrf vrf-name

By default, no inside VPN instance is specified for an IKEv2 profile. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.

14. (Optional.) Set the IKEv2 NAT keepalive interval.

nat-keepalive seconds

By default, the global IKEv2 NAT keepalive setting is used.

15. (Optional.) Enable the configuration exchange feature.

config-exchange { request | set { accept | send } }

By default, all configuration exchange options are disabled.

16. (Optional.) Enable AAA authorization.

aaa authorization domain domain-name username user-name

By default, AAA authorization is disabled for IKEv2.