remote-address (IKE peer view)
Function
The remote-address command configures an IP address or domain name for the remote IKE peer during IKE negotiation.
The undo remote-address command cancels the configuration.
By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.
Usage Guidelines
Usage Scenario
The remote address negotiated by the IKE peers has two types: IP address and domain name.
When the configured remote address is an IP address and the remote gateway IP address is fixed, set remote-address to a fixed IP address. When an IPSec policy template is used and the remote gateway address is not fixed, set remote-address to an IP address segment.
When a domain name is configured as the remote address, the device obtains the remote address in either of the following modes:
- Static mode: The device obtains the remote address based on the manually configured mapping between the domain name and IP address.
- Dynamic mode: The device obtains the remote address from the DNS server.
To improve network reliability, the headquarters provides four devices for branch gateways to access. In an IPSec policy, two remote IP addresses or domain names of the IKE peer can be configured on the branch gateway. The branch gateway attempts to use the first IP address or domain name to establish an IKE connection with the headquarters gateway. If the connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection, and so on.
Precautions
When an IPSec policy is used, if the local device functions as the initiator, run the remote-address command so that the initiator can use this address to search for the responder. Because both ends may be the initiator, run the remote-address command at both ends. The remote-address command is not required when the IKE peer functions as the responder and uses an IPSec policy template to establish an IPSec policy.
You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.
When an IPSec profile is used, the destination address of the IPSec tunnel interface configured using the destination command is preferentially used as the remote address for IKE negotiation. When the remote-address and destination commands are configured at the same time, ensure that the configured IP addresses are the same; otherwise, IKE negotiation will fail. To implement IKE peer redundancy, do not configure the destination command on the IPSec tunnel interface. Instead, configure the remote-address command on the IKE peer referenced by the IPSec profile.
The remote IP address (remote-address) at the local end must be the same as the local IP address (local-address) at the remote end.
- If more than one remote IP address or domain name is configured, the specified vpn-instance-name must be the same.
- If multiple remote IP addresses are configured, the device with redundant addresses must function as the IKE negotiation initiator.
