Tip
This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.
IKE Identity¶
In IKE, each party must ensure it is communicating with the correct peer. One aspect of this validation is the identity information included in IKE. Each router tells the other its own local identity and they each validate it against the stored remote identity. If they do not match, the peer is rejected.
From within config-ipsec-crypto-ike
mode, use the identity local
and
identity remote
commands to configure local and remote identity information.
In either case, the identity
command enters config-ike-identity
mode.
IKE requires both local and remote identities. The local identity is sent to the remote peer during the exchange. The remote identity is used to validate the identity received from the peer during the exchange.
In config-ike-identity
, the following commands are available:
- type <name>:
Sets the type of identity value. The following types are available:
- address:
IPv4 or IPv6 address in the standard notation for either (e.g.
192.0.2.3
or2001:db8:1:2::3
)This is the most common type, with the value set to the address on TNSR used as the
local-address
for the IPsec tunnel.- dn:
An X.509 distinguished name (e.g. certificate subject)
- email:
Email address (e.g.
user@example.com
).- fqdn:
A fully qualified domain name (e.g.
host.example.com
)- key-id:
An arbitrary string used as an identity
- none:
Automatically interpret the type based on the value
- value <text>:
The identity value, in a format corresponding to the chosen
type
.
Note
The local identity type and value must both be supplied to the administrator of the remote peer so that it can properly identify this endpoint.
Identity Example¶
First configure the local identity of this firewall. The identity is an IP address, using the same value as the local address of the IPsec tunnel.
tnsr(config-ipsec-crypto-ike)# identity local
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.2
tnsr(config-ike-identity)# exit
Next, configure the remote identity. The remote peer has also chosen to use an IP address, the value of which is the remote address used for the IPsec tunnel.
tnsr(config-ipsec-crypto-ike)# identity remote
tnsr(config-ike-identity)# type address
tnsr(config-ike-identity)# value 203.0.113.25
tnsr(config-ike-identity)# exit