The inband ocsp command configures the device to validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.
The undo inband ocsp command restores the default configuration.
By default, the device does not validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.
When IKEv2 uses RSA signature authentication and OCSP is used for certificate validation, if the OCSP server is located in the private network of the headquarters, the branch cannot directly communicate with the OCSP server to validate the certificate in the headquarters. To enable the branch to obtain the OCSP validation result of the headquarters through IKEv2, run the inband ocsp command on the branch. After receiving the OCSP validation result sent from the headquarters through IKEv2, the branch uses the OCSP validation result to validate the certificate in the headquarters. If the OCSP validation result is valid, the certificate is considered valid and identity authentication succeeds. The branch can negotiate with the headquarters to establish an IPSec tunnel.
When you run both the inband ocsp and inband crl commands, the certificate is considered valid only when it passes the validity check in both OCSP and CRL modes.