Perform this task to configure the IKEv2 key ring if the local or remote
authentication method is a preshared key.
IKEv2 key ring keys must be configured in the peer configuration submode that
defines a peer subblock. An IKEv2 key ring can have multiple peer subblocks. A peer
subblock contains a single symmetric or asymmetric key pair for a peer or peer group
identified by any combination of the hostname, identity, and IP address.
IKEv2 key rings are independent of IKEv1 key rings. The key differences are as
follows:
-
IKEv2 key rings support symmetric and asymmetric preshared keys.
-
IKEv2 key rings do not support Rivest, Shamir, and Adleman (RSA) public
keys.
-
IKEv2 key rings are specified in the IKEv2 profile and are not looked up,
unlike IKEv1, where keys are looked up on receipt of MM1 to negotiate the
preshared key authentication method. The authentication method is not
negotiated in IKEv2.
-
IKEv2 key rings are not associated with VPN routing and forwarding (VRF)
during configuration. The VRF of an IKEv2 key ring is the VRF of the IKEv2
profile that refers to the key ring.
-
A single key ring can be specified in an IKEv2 profile, unlike an IKEv1
profile, which can specify multiple key rings.
-
A single key ring can be specified in more than one IKEv2 profile, if the
same keys are shared across peers matching different profiles.
-
An IKEv2 key ring is structured as one or more peer subblocks.
On an IKEv2 initiator, the IKEv2 key ring key lookup is performed using the peer’s
hostname or the address, in that order. On an IKEv2 responder, the key lookup is
performed using the peer’s IKEv2 identity or the address, in that order.
Note
|
You cannot configure the same identity in more than one peer.
|