No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
remote-address (IKE peer view)

remote-address (IKE peer view)

Function

The remote-address command configures an IP address or domain name for the remote IKE peer.

The undo remote-address command cancels the configuration.

By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.

Format

remote-address [ vpn-instance vpn-instance-name ] { ip-address | host-name } [ track { nqa admin-name test-name | bfd-session session-name } { up | down } ]

undo remote-address [ ip-address | host-name ]

Parameters

Parameter

Description

Value

vpn-instance vpn-instance-name

Specifies the name of the VPN instance that the remote peer belongs to.

NOTE:

Only theAR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H supports this parameter.

The value is an existing VPN instance name.

ip-address

Specifies the IP address of the remote IKE peer.

The value is an IPv4 IP address in dotted decimal notation.

host-name

Specifies the domain name of the remote IKE peer.

The value is an existing remote IKE peer domain name.

track

Specifies association between IKE and NQA or BFD.

NOTE:

Only theAR510 series, AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H supports this parameter.

-

nqa admin-name test-name

Configures association between IKE negotiation and NQA so that the device can determine whether the remote address of the peer is valid according to the NQA test instance status. admin-name specifies the administrator name of an NQA test instance, and test-name specifies the name of an NQA test instance.

NOTE:

Only theAR510 series, AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H supports this parameter.

The administrator name or name of an NQA test instance must have been created.

bfd-session session-name

Specifies association between IKE and BFD so that the peer address depends on the BFD session status. bfd-session-name specifies the name of the BFD session.

NOTE:

Only theAR510 series, AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H supports this parameter.

The BFD session name must have been created.

up

Indicates that the local address is used as the peer address for negotiation when the NQA test instance or BFD session status is Up.

NOTE:

Only theAR510 series, AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H supports this parameter.

-

down

Indicates that the local address is used as the peer address for negotiation when the NQA test instance or BFD session status is Down.

NOTE:

Only theAR510 series, AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H supports this parameter.

-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The remote-address command configures an IP address or domain name for the remote IKE peer. If the domain name is configured for the remote IKE peer, the IP address of the remote IKE peer is obtained in either of the following modes:
  • Static mode: The IP address of the remote IKE peer is obtained based on the mapping between the domain name and IP address.
  • Dynamic mode: The IP address of the remote IKE peer is obtained from the DNS server.

To improve network reliability, two devices can be deployed at the headquarters to connect to the branch gateway. In an IPSec policy, two IP addresses or domain names of the remote IKE peer can be configured on the branch gateway. The branch gateway first attempts to use the first configured IP address or domain name to establish an IKE connection with the headquarters gateway. If establishing an IKE connection fails or the dead peer detection (DPD) fails, the branch gateway uses the second IP address or domain name to establish an IKE connection.

If the IP address of the first IKE peer is unreachable in the scenario that two IP addresses are configured, the branch gateway uses the second IP address to establish an IKE connection only when establishing an IKE connection fails or the dead peer detection (DPD) fails. It takes a long time. To reduce the time required and determine validity of the IKE peer address in real time, configuring association between IKE negotiation and NQA or BFD to detect the link status and check validity of the IKE peer address based on the detection result.

NOTE:
You can configure this command twice in the same view.

Prerequisites

  • The VPN instance has been created using the ip vpn-instance command and the route distinguisher (RD) has been configured for the VPN instance using the route-distinguisher command if vpn-instance vpn-instance-name is specified.
  • An NQA test instance has been created using the nqa command and the NQA test instance type has been set to ICMP using the test-type command if nqa admin-name test-name is specified.
  • An BFD session has been created using the bfd bind peer-ip command and the BFD session has been set the local and remote discriminators using the discriminator command if bfd-session bfd-session-name is specified.

Precautions

  • If the local device functions as the initiator, run the remote-address command so that the initiator can use this address to search for the responder. Because both ends may be the initiator, run the remote-address command at both ends. The remote-address command is not required when the IKE peer functions as the responder and uses an IPSec policy template to establish an IPSec policy.

  • You do not need to specify local-address or remote-address for an IKE peer referenced by an IPSec profile. During IKE negotiation, the IPSec profile uses the source and destination addresses of the IPSec tunnel interface.
  • When an IPSec tunnel is set up using an IPSec tunnel interface, the destination address of the IPSec tunnel interface by the destination command is preferentially used as the remote address for IKE negotiation.
  • The remote IP address (remote-address) at the local end must be the same as the local IP address (local-address) at the remote end.

Example

# Assign IP address 10.1.1.1 to the remote IKE peer.

<Huawei> system-view
[Huawei] ike peer huawei v1 
[Huawei-ike-peer-huawei] remote-address 10.1.1.1
# Set the domain name of the remote IKE peer to mypeer.
<Huawei> system-view
[Huawei] ike peer huawei v1 
[Huawei-ike-peer-huawei] remote-address mypeer
# Configure association between the IKE peer huawei with NQA and specify IP address 10.1.1.1 as the peer address for IKE negotiation when the NQA test instance (administrator name admin and instance name test) status is Up.
<Huawei> system-view
[Huawei] nqa test-instance admin test
[Huawei-nqa-admin-test] test-type icmp
[Huawei-nqa-admin-test] destination-address ipv4 10.1.1.1
[Huawei-nqa-admin-test] quit
[Huawei] ike peer huawei v1
[Huawei-ike-peer-huawei] remote-address 10.1.1.1 track nqa admin test up
# Configure association between the IKE peer huawei and BFD and use the IP address 10.1.1.2 as the peer address for IKE negotiation when the status of the BFD session test is Up.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
[Huawei-GigabitEthernet0/0/1] quit
[Huawei] bfd
[Huawei-bfd] quit
[Huawei] bfd test bind peer-ip 10.1.1.2 interface gigabitethernet 0/0/1
[Huawei-bfd-session-test] discriminator local 10
[Huawei-bfd-session-test] discriminator remote 20
[Huawei-bfd-session-test] quit
[Huawei] ike peer huawei v1
[Huawei-ike-peer-huawei] remote-address 10.1.1.2 track bfd-session test up
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 37393

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next