match remote
Use match remote to configure a peer ID that an IKEv2 profile matches.
Use undo match remote to delete a peer ID that an IKEv2 profile matches.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask |mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
Default
No matching peer ID is configured for the IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
mdc-admin
Parameters
certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the identity local command.
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32.
address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKEv2 profile matching. The value range for the prefix-length argument is 0 to 128.
address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation.
If the device has the match remote, match vrf, and match local address commands configured, it uses the IKEv2 profile that matches all the criteria configured by the commands.
To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2 profile is selected for IKEv2 negotiation is unpredictable.
You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view [Sysname] ikev2 profile profile1
# Configure the IKEv2 profile to match the peer ID that is FQDN name www.test.com.
[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com
# Configure the IKEv2 profile to match the peer ID that is IP address 10.1.1.1.
[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1
Related commands
identity local
match local address
match vrf