[x]

IKE commands > local-identity

 

 Next

local-identity

Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.

Use undo local-identity to restore the default.

Syntax

local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

undo local-identity

Default

No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view by using the ike identity command. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy is applied as the local ID.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.

dn: Uses the DN in the local certificate as the local ID.

fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.

user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.

Usage guidelines

For digital signature authentication, the device can use any type of ID. For pre-shared key authentication, the device can use any type of ID other than the DN.

In digital signature authentication, if the local ID is an IP address that is different from the IP address in the local certificate, the device uses its FQDN instead. The FQDN is the device name configured by using the sysname command.

The initiator uses the local ID to identify itself to the responder. The responder compares the initiator's ID with the peer IDs configured by the match remote command to look for a matching IKE profile.

An IKE profile can have only one local ID.

An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.

Examples

# Set the local ID to IP address 2.2.2.2.

<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] local-identity address 2.2.2.2

Related commands

match remote

ike identity

prev

 

up

 next

keychain 

home

 match local address (IKE keychain view)

© Copyright 2018 Hewlett Packard Enterprise Development LP