local-id-type

Function

The local-id-type command sets the type of the local ID used in IKE negotiation.

The undo local-id-type command restores the default type of the local ID used in IKE negotiation.

By default, the local ID type used by IKE negotiation is IP.

Format

local-id-type { dn | esn | fqdn | ip [ ip-configurable ] | user-fqdn }

undo local-id-type

Parameters

Parameter	Description	Value
dn	Specifies the Distinguished Name (DN) as the local ID.	-
esn	Specifies the ESN as the local ID.	-
fqdn	Specifies the name as the local ID.	-
ip	Specifies the IP address as the local ID.	-
ip-configurable	Indicates that the IP address used as the local ID is configurable. This IP address can be configured using the local-id command. The IP address is the local IP address used for IKE negotiation by default.	-
user-fqdn	Specifies the USER-FQDN as the local ID.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Identity authentication is a protection mechanism for IKE negotiation. The device ensures security by confirming identities of communication parties. IKE peers can use different types. This command configures the type of the local ID of an IKE peer.

Precautions

The local ID type can be different from the remote ID type. You can use commands to specify the local and remote ID types.
If IKEv1 is used, pre-shared key authentication requires the local ID on the local end to be the same as the remote ID on the remote end. If IKEv2 is used, pre-shared key authentication requires the local ID type or local ID on the local end to be the same as the remote ID type or remote ID on the remote end.
For RSA signature authentication, the remote ID type or remote ID on the local end must be consistent with corresponding fields in the local certificate on the remote end.

Different authentication methods support different ID types, as shown in Table 1.

**Table 1** Relationship between local IKE ID types, local ID, and authentication methods
Authentication Method	IP	DN	ESN	FQDN	USER-FQDN
pre-share	Supported The ID is the local IP address used for IKE negotiation by default. Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication.	Not supported	Supported You do not need to configure this parameter. The ESN of the device is used by default.	Supported Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication. The ID specified by the ike local-name command, indicating that all peers on the device use this ID for identity authentication. The ID specified by the local-id command has a higher priority than the one specified by the ike local-name command.	Supported Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication. Set an ID using the ike local-name command, indicating that all peers on the device use this ID for identity authentication. The ID specified by the local-id command has a higher priority than the one specified by the ike local-name command.
rsa-signature	Supported The ID is the local IP address used for IKE negotiation by default. Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication.	Supported Use the default ID in the certificate. No configuration is required.	Not supported	Supported Use the default ID in the certificate. No configuration is required.	Supported Use the default ID in the certificate. No configuration is required.
digital-envelope	Not supported	Supported Use the default ID in the certificate. No configuration is required.	Not supported	Not supported	Not supported
digital-envelope new	Not supported	Supported Use the default ID in the certificate. No configuration is required.	Not supported	Not supported	Not supported

Example

# Set the local ID type of IKE peer peer1 to FQDN.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] local-id-type fqdn