Configuring the IKEv2 Profile
An IKE profile is used in phase two of an initial exchange to determine the authentication profile to be applied for an incoming IKE
session. During a session, it also determines the choice of local identifier.
An IKE session has the following criteria:
•
Unique IKE profile, set of local-IP address, and remote-IP address.
•
Applies parameters to an incoming IPsec connection that is uniquely identified through its match identity criteria.
These IKE profile criteria are based on the IKE identity that is presented by incoming IKE connections, and includes the IP address, fully
qualified domain name (FQDN), and other identities. Once the IKE profile is chosen, it can be used to protect single or all VRF.
For an outgoing connection, the IKE profile is chosen based on the IPsec-Profile used by VTI. The IKE policy will be selected based on
the local IP-address.
The following rules apply to match statements:
•
An IKEv2 profile must contain an identity to match; otherwise, the profile is considered incomplete and is not used. An IKEv2
profile can have more than one match identity.
•
An IKEv2 VRF will match with the VTI Base VRF.
•
When a profile is selected, multiple match statements of the same type are logically ORed, and multiple match statements of
different types are logically ANDed.
•
Configuration of overlapping profiles is considered a misconfiguration. In the case of multiple profile matches, the first profile will
be selected.
IKEv2 Option
Description
Ikev2 profile
<name>
Defines an IKEv2 profile name and enters IKEv2 profile configuration mode.
description
<description>
(Optional) Description text for this profile.
authentication
<authentication-
proposal -name>
Authentication Proposal to be used with this IKE profile.
local_identifier
{ address
<ipv4-
address>
dn | dn
<dn-string>
| fqdn
<fqdn-string>
| key-id
<key-id
String>
<email-string>
}
(Optional) Local system ID to be sent with ID payload during negotiation. Allowed formats of this entry are as
follows:
•
address is IPv4.
•
dn is Distinguished name.
•
FQDN is Fully Qualified Domain Name. For example, router1.example.com.
•
email is E-mail ID. For example,
•
key-id is Key ID.
remote-identifier
{ address
<ipv4-address>
dn | dn
<dn-
string>
| fqdn
<fqdn-string>
| key-
id
<key-id String>
<email-
string>
}
(Optional) Remote system ID that we want to communicate with. Allowed formats of this entry are as follows:
•
address is IPv4.
•
dn is Distinguished name.
•
FQDN is Fully Qualified Domain Name. For example, router1.example.com.
•
email is E-mail ID. For example,
•
key-id is Key ID.
keepalive
<seconds>
(Optional) Interval, in seconds, between the IKE Notify messages sent to query peer liveness and thus detect a
dead peer. Default is enabled and the default value is 30 sec. Range should be between 0-3600 seconds. 0
means that keep-alive is not enabled.
lifetime
<minutes>
(Optional) IKE SA lifetime in minutes. Default is 24 Hours, 1440 minutes. Range should be between 10-1440
minutes.
responder-only
(Optional) In responder-only mode, this host acts as the responder and does not initiate negotiation and rekeying.
Otherwise, this host acts as initiator; negotiation starts when the IKE Peer is reachable. By default the router behave
as both initiator and responder.
Router modules
Brocade NetIron MLXe Series Hardware Installation Guide
50
53-1004203-04
Summary of Contents for NetIron MLXe Series
Page 8: ...Brocade NetIron MLXe Series Hardware Installation Guide 8 53 1004203 04...
Page 12: ...Brocade NetIron MLXe Series Hardware Installation Guide 12 53 1004203 04...
Page 20: ...Brocade NetIron MLXe Series Hardware Installation Guide 20 53 1004203 04...
Page 192: ...Brocade NetIron MLXe Series Hardware Installation Guide 192 53 1004203 04...
Page 270: ...Brocade NetIron MLXe Series Hardware Installation Guide 270 53 1004203 04...
Page 286: ...Brocade NetIron MLXe Series Hardware Installation Guide 286 53 1004203 04...
Page 292: ...Brocade NetIron MLXe Series Hardware Installation Guide 292 53 1004203 04...