match remote
Use match remote to configure a peer ID for IKE profile matching.
Use undo match remote to delete a peer ID for IKE profile matching.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching. The mask-length argument is in the range of 0 to 32.
address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128.
address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified address or addresses belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option.
Usage guidelines
When an end needs to select an IKE profile, it compares the peer's ID received with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation.
Each IKE profile must have at least one peer ID configured. To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create IKE profile prof1.
<Sysname> system-view [Sysname] ike profile prof1
# Configure a peer ID with the identity type of FQDN and the value of www.test.com.
[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com
# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.
[Sysname-ike-profile-prof1] match remote identity address 10.1.1.1
Related commands
local-identity