how to modify the local ip address of the IPSec ike peer in USG2100

25

it's the binding relation of the IPSec's local ip address with the interface address which apply the policy of IPSec, Modify the corresponding interface IP address is to modify the the local IP of ike peer

Other related questions:
Changing the peer IP address of IPSec VPN on the firewall
Changing the peer IP address of IPSec VPN on the USG 1. Configuration method remote-address The remote-address command specifies the IKE peer address or address range. remote-address { low-ip-address [ high-ip-address ] | ip-pool pool-number | authentication-address low-ip-address [ high-ip-address ] | vpn-instance vpn-instance-name low-ip-address [ high-ip-address ] } undo remote-address [authentication-address | ip-pool ] Parameter description ip-pool: To assign an IP address from the local end to the peer end (such as the AP device), configure the address pool at the local end and assign an IP address to the peer end. authentication-address: In a scenario where NAT traversal is implemented, to use the IP address for authentication, configure the authentication-address parameter to specify the pre-NAT address or address range. vpn-instance: Specifies the VPN instance and interface IP address of the tunnel during multi-instance configuration. If no high-ip-address is specified in the command, only one address is configured for the IKE peer. When the IKE peer is referenced by the IPSec policy template, the remote-address command is optional. When the IKE peer is referenced by the IPSec policy, the remote-address is mandatory. If the peer address is configured as an address segment, this IKE peer can be referenced by the IPSec policy template only. When the IKE peer is referenced by the IPSec policy or IPSec policy template, you cannot run the remote-address command to modify the peer IP address of the IKE peer. 2. Example system-view [sysname] ike peer peer1 [sysname-ike-peer-peer1] remote-address 202.38.0.1 //Set the IP address of the IKE peer peer1 to 202.38.0.1.

Method used to modify the IKE algorithm on AR series routers
Huawei AR series routers can be configured with the IKE authentication and encryption algorithms. The configuration procedure is as follows: 1. Run the ike proposal proposal-number command to create an IKE proposal and enter the IKE proposal view. 2. Run the authentication-algorithm { aes-xcbc-mac-96 | md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } command to configure an authentication algorithm for the IKE proposal. Starting from V200R002C00, the AR supports aes-xcbc-mac-96. Starting from V200R005C10, the AR supports SHA2-256, SHA2-384, and SHA2-512. Starting from V200R005C00, the AR supports SM3, but the NE16EX series do not support SM3. It is recommended that you do not use MD5 and SHA-1. Otherwise, security defense cannot be met. 3. Run the encryption-algorithm { des-cbc | 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | sm4 } command to configure an encryption algorithm for the IKE proposal. Starting from V200R005C90, the AR supports SM4. It is recommended that you should not use DES-CBC and 3DES-CBC. Otherwise, security defense cannot be met.

Configuring the IKE DPD on the firewall
Configure the IPSec SA lifetime on the USG. Configure the IPSec VPN SA lifetime. 1. Configure IKE SA hard lifetime. You can configure per-SA IKE lifetime, but cannot configure a global IKE lifetime. system-view //Access the system view. ike proposal proposal-number //Access the IKE proposal view. sa duration seconds //Configure the IKE SA hard lifetime. Notes for configuring IKE SA lifetime: a) If the hard lifetime expires, the IKE SA will be deleted and re-negotiated. The IKE negotiation involves DH calculation and may take a long time. To ensure the secure communications, you are advised to set the lifetime to a value larger than 600 seconds. b) When the soft lifetime expires, a new SA is negotiated to replace the original SA. Before the new SA is negotiated, the original SA is still in use. After the new SA is established, the new SA is used, and the original SA will be automatically deleted when the hard lifetime expires. The default IKE SA hard lifetime is 86,400 seconds (a day). 2. Configure IKE SA soft lifetime. system-view //Access the system view. ike peer peer-name //Access the IKE peer view. sa soft-duration time-based buffer seconds //Configure the IKE SA soft lifetime. The configuration applies only to IKEv1. a) By default, the soft lifetime is 9/10 of the hard lifetime. When the soft lifetime expires, a new SA is negotiated to replace the original SA. b) If the soft lifetime is specified and the hard lifetime is greater than the soft lifetime by more than 10s, the specified soft lifetime applies; otherwise, the default soft lifetime applies. display ike proposal //Display the configured IKE SA hard lifetime. [USG] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) - 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA1 AES_CBC MODP_1024 86400 display ike peer [ brief | name peer-name ] //Display the configured IKE SA soft lifetime. [USG] display ike peer name b -- IKE peer: b Exchange mode: main on phase 1 Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$ Local certificate file name: Proposal: 10 Local ID type: IP Peer IP address: 202.38.169.1 VPN instance: Authentic IP address: IP address pool: Peer name: Peer domain name: VPN instance bound to the SA: NAT traversal: enable SA soft timeout buffer time: 22 seconds OCSP check: disable OCSP server URL: Applied to 1 policy: ppp1-1-isakmp

How to change the host IP address
To change the host IP address, run the config system hostip command.

Method used to view the IKE peer information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: Display ike peer //Display the configuration of the IKE peer.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top