match local address (IKE keychain view)

Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.

Use undo match local address to restore the default.


match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }

undo match local address


An IKE keychain can be applied to any local interface or IP address.


IKE keychain view

Predefined user roles




interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 or IPv6 address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the IPv4 or IPv6 address belongs to the public network, do not specify this option.

Usage guidelines

Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you specified IKE keychain A before specifying IKE keychain B, and you configured the peer ID for IKE keychain A and the peer ID for IKE keychain B. For the local interface with the IP address to negotiate with the peer, IKE keychain A is preferred because IKE keychain A was specified earlier. To use IKE keychain B, you can use this command to restrict the application scope of IKE keychain B to address


# Create IKE keychain key1.

<Sysname> system-view
[Sysname] ike keychain key1

# Apply IKE keychain key1 to IP address

[sysname-ike-keychain-key1] match local address

# Apply IKE keychain key1 to the interface with IP address in VPN instance vpn1.

[sysname-ike-keychain-key1] match local address vpn-instance vpn1