(Optional) Configuring IKEv1+xAuth Authentication

Context

To improve security of IKE peer access, you can enable IKEv1 extended authentication (IKEv1+xAuth authentication) on the receiver of IKE negotiation. When IKE SA negotiation is complete, the receiver initiates IKEv1 extended authentication. If IKEv1 extended authentication is successful, IPSec SA negotiation starts. If IKEv1 extended authentication fails, IKE negotiation is stopped.

After IKEv1+xAuth authentication is configured, the device does not support RADIUS dynamic authorization.
In IKEv1+xAuth authentication, if an SPU is inserted to or removed from a device, the IPSec tunnel will be torn down, causing service interruption.
IPSec IPv6 does not support IKEv1+xAuth authentication.

Procedure

Run system-view
The system view is displayed.
Run ike peer peer-name
An IKE peer is created and the IKE peer view is displayed.
Run xauth enable [ non-strict ]
IKEv1 extended authentication is enabled.

By default, IKEv1 extended authentication is disabled.

After non-strict is specified, the client with extended authentication capabilities connects to a network through IKEv1 extended authentication and the client without extended authentication capabilities uses another mode but to IKEv1 extended authentication to connect to a network. If IKEv1 extended authentication is disabled on the client that requires IKEv1 extended authentication, the client can connect to a network through another mode but not IKEv1 extended authentication. This mode has security risks. You can configure the device not to perform IKEv1 extended authentication for IKe users in the IKE user table.
Run xauth type { chap | pap }
An IKEv1 extended authentication mode is configured.

By default, the IKEv1 extended authentication mode is chap.

When Password Authentication Protocol (PAP) authentication is used, passwords are transmitted in plain text on a network, causing security risks. Challenge Handshake Authentication Protocol (CHAP) authentication is recommended to improve security.
(Optional) Configure the device not to perform IKEv1 extended authentication for IKE users.

In a point-to-multipoint scenario, the device functions as the headquarters gateway, an IPSec policy is created using an IPSec policy template, and the gateway receives IPSec connection setup requests of different branches. When IKEv1 extended authentication is enabled for IKE peers, IKEv1 extended authentication needs to be performed for branches that connect to the headquarters. A branch can establish an IPSec tunnel with the headquarters only when the branch is successfully authenticated. If the branch does not support IKEv1 extended authentication, the branch cannot establish an IPSec tunnel with the headquarters. To address this issue, perform this step so that configure IKEv1 extended authentication is not performed for the branches.
1. Run quit
  Return to the system view.
2. Run ike user-table user-table-id
  An IKE user table is created and its view is displayed, or the view of an existing IKE user table is displayed directly.
3. Run user user-name
  An IKE user is created and its view is displayed, or the view of an existing IKE user is displayed directly.
4. Run no-xauth enable
  The device is configured not to perform IKEv1 extended authentication for IKE users.
  
  By default, the configuration of IKEv1 extended authentication of an IKE user is the same as that of an IKE peer.
5. Run quit
  Return to the IKE user table view.
6. Run quit
  Return to the system view.
7. Run ike peer peer-name
  The IKE peer view is displayed.
8. Run user-table user-table-id
  The IKE user table is reference in the IKE peer.