< Home

certificate-request empty-payload enable

Function

The certificate-request empty-payload enable command configures a FW to send certificate requests with empty payload.

The undo certificate-request empty-payload enable command restores the default configuration.

By default, certificate requests sent from the FW carry CA information in the payload.

Format

certificate-request empty-payload enable

undo certificate-request empty-payload enable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a FW acting as a gateway in the headquarters uses an IPSec policy configured using a policy template and authenticates branches by digital certificates, you can run the certificate-request empty-payload enable command to send certificate requests with empty payload, allowing access from branches using certificates issued by different CAs. The FW can then perform certificate authentication based on certificate information provided by each branch.

Precautions

Do not configure this command if access devices cannot process certificate request packets with an empty authentication and authorization field. Otherwise, IKE negotiation fails.

Example

# Configure the FW to send certificate requests with empty payload.

<sysname> system-view
[sysname] ike peer a20
[sysname-ike-peer-a20] certificate-request empty-payload enable
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >