The ikev2 id-match-certificate enable command enables the device to check certificate identity information of the remote device during IKEv2 certificate negotiation.
The undo ikev2 id-match-certificate enable command disables the device from checking certificate identity information of the remote device during IKEv2 certificate negotiation.
By default, the device does not check certificate identity information of the remote device during IKEv2 certificate negotiation.
Usage Scenario
By default, the device does not check certificate identity information of the remote device, such as the IP address, fully qualified domain name (FQDN), and email during IKEv2 certificate negotiation. If the certificate of a branch gateway is used by another device, it can establish an IPSec tunnel with the headquarters, causing security risks.
To prevent security risks, you can run the ikev2 id-match-certificate enable command to enable the local device to check certificate identity information of the remote device. If the information differs from the ID (IP address, FQDN, or User-FQDN) of the remote device, IKEv2 negotiation fails.
Precautions
You can run the display pki certificate (all views) command to view certificate identity information. The Subject field in the certificate corresponds to the DN, and the email corresponds to the User-FQDN.
If an RSA digital envelope is used for IKEv2 negotiation, this command is not supported.