The local-id-preference certificate enable command enables the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation.
The undo local-id-preference certificate enable command disables the device from preferentially obtaining the local ID from a field in a certificate when IKE uses certificate negotiation.
By default, the device preferentially obtains the local ID from a field in a certificate when IKE uses certificate negotiation.
Usage Scenario
When IKE uses certificate negotiation, the device can obtain its local ID from a field (IP address, FQDN, or email address) in the certificate, removing the need to configure the local ID.
After the local-id-preference certificate enable command is configured, the device preferentially obtains its local ID from a field in the certificate. If this method fails, it obtains its local ID based on the local configuration. If this method also fails, IKE negotiation fails.
Precautions
This command is not supported when IKE uses a digital envelope for authentication during certificate negotiation.
In IKEv2 negotiation scenarios, when both the local-id-preference certificate enable and local-id-reflect enable commands are configured, the local-id-reflect enable command takes effect.
You can run the display pki certificate (all views) command to view certificate identity information. The email address in the certificate corresponds to User-FQDN.