Tip

This is the documentation for the v21.03 version. Looking for the documentation of the latest version? Have a look here.

IKE Identity

In IKE, each party must ensure it is communicating with the correct peer. One aspect of this validation is the identity information included in IKE. Each router tells the other its own local identity and they each validate it against the stored remote identity. If they do not match, the peer is rejected.

From within config-ipsec-crypto-ike mode, use the identity local and identity remote commands to configure local and remote identity information. In either case, the identity command enters config-ike-identity mode.

IKE requires both local and remote identities. The local identity is sent to the remote peer during the exchange. The remote identity is used to validate the identity received from the peer during the exchange.

In config-ike-identity, the following commands are available:

type <name>:

Sets the type of identity value. The following types are available:

address:

IPv4 or IPv6 address in the standard notation for either (e.g. 192.0.2.3 or 2001:db8:1:2::3)

This is the most common type, with the value set to the address on TNSR used as the local-address for the IPsec tunnel.

dn:

An X.509 distinguished name (e.g. certificate subject)

email:

Email address (e.g. user@example.com).

fqdn:

A fully qualified domain name (e.g. host.example.com)

key-id:

An arbitrary string used as an identity

none:

Automatically interpret the type based on the value

value <text>:

The identity value, in a format corresponding to the chosen type.

Note

The local identity type and value must both be supplied to the administrator of the remote peer so that it can properly identify this endpoint.

Identity Example

First configure the local identity of this firewall. The identity is an IP address, using the same value as the local address of the IPsec tunnel.

tnsr(config-ipsec-crypto-ike)# identity local
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.2
tnsr(config-ike-identity)# exit

Next, configure the remote identity. The remote peer has also chosen to use an IP address, the value of which is the remote address used for the IPsec tunnel.

tnsr(config-ipsec-crypto-ike)# identity remote
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.25
tnsr(config-ike-identity)# exit