No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
match ike-identity

match ike-identity

Function

The match ike-identity command references an identity filter set.

The undo match ike-identity command removes the referenced identity filter set.

By default, no identity filter set is referenced.

Format

match ike-identity identity-name

undo match ike-identity

Parameters

Parameter

Description

Value

identity-name

Specifies the name of the identity filter set.

The value is an existing identity filter name.

Views

IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  1. During IKE negotiation, a device specifies the peer based on the identity filter set referenced in the policy template or IPSec profile.

    When the device functions as a responder, it can specify the peer allowed to connect to it to improve security.

  2. In an IPSec over DSVPN application, multiple mGRE tunnel interfaces are configured on the hub which provides only one IP address for spoke access. The mGRE tunnel interfaces use the same source address or source interface; therefore, the hub cannot identify IKE packets from different mGRE tunnel interfaces. To solve this problem, set parameters in the identity filter set to specify the mGRE tunnel interface of each IKE packet.

    For details about DSVPN, see DSVPN Configuration.

Prerequisites

An identity filter set with a specific identity-name has been created using the ike identity command.

Precautions

  • If you configure multiple IPSec policy templates and apply them to multiple interfaces on the same device, the parameters in the identity filter set referenced in different policy templates cannot be the same.
  • If you configure multiple IPSec profiles and apply them to multiple tunnel interfaces on the same device, the parameters in the identity filter set referenced in different IPSec profiles cannot be the same.

If a remote device matches one parameter or more parameters in different identity filter sets in the local device, the access request of the remote device will be denied.

Example

# Reference an identity filter set in the IPSec profile view.

<Huawei> system-view
[Huawei] ike identity identity1
[Huawei-ike-identity-identity1] name peer1
[Huawei-ike-identity-identity1] quit
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] match ike-identity identity1
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 50378

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next