remote-address (IKE peer view)

Function

The remote-address command configures an IP address/IP address segment or domain name for the remote IKE peer during IKE negotiation.

The undo remote-address command cancels the configuration.

By default, no IP address/IP address segment or domain name is configured for the remote IKE peer during IKE negotiation.

Format

remote-address { [ vpn-instance vpn-instance-name ] { start-ipv4-address [ end-ipv4-address ] | start-ipv6-address [ end-ipv6-address ] | host-name host-name } | ip-pool pool-number | authentication-address start-ipv4-address [ end-ipv4-address ] }

undo remote-address [ ipv4-address | ipv6-address | ip-pool | host-name host-name | authentication-address ]

Parameters

Parameter	Description	Value
vpn-instance vpn-instance-name	Specifies the name of the VPN instance. NOTE: The virtual system does not support this parameter.	The value must be an existing VPN instance name. IPv4 multi-instance is supported.
start-ipv4-address	Specifies the start IPv4 address of the remote end.	The value is in dotted decimal notation.
end-ipv4-address	Specifies the end IPv4 address of the remote end.	The value is in dotted decimal notation.
start-ipv6-address	Specifies the start IPv6 address of the remote end. NOTE: IPSec profiles do not support this parameter.	The value is in colon hexadecimal notation.
end-ipv6-address	Specifies the end IPv6 address of the remote end. NOTE: IPSec profiles do not support this parameter.	The value is in colon hexadecimal notation.
host-name host-name	Specifies the domain name of the remote IKE peer.	The value must be an existing remote IKE peer domain name.
ip-pool pool-number	Specifies the index of an IP address pool.	The value is the index of the IP address pool in Service-scheme used by the access user domain or IKE peer.
authentication-address start-ipv4-address [ end-ipv4-address ]	Specifies the IP address before NAT as the authentication address.	The value is in dotted decimal notation.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The remote address negotiated by the IKE peers has two types: IP address and domain name.

When the configured remote address is an IP address and the remote gateway IP address is fixed, set remote-address to a fixed IP address. When an IPSec policy template is used and the remote gateway address is not fixed, set remote-address to an IP address segment.

When a domain name is configured as the remote address, the device obtains the remote address in either of the following modes:

Static mode: The device obtains the remote address based on the manually configured mapping between the domain name and IP address.
Dynamic mode: The device obtains the remote address from the DNS server.

To improve network reliability, the headquarters provides four devices for branch gateways to access. In an IPSec policy, two remote IP addresses or domain names of the IKE peer can be configured on the branch gateway. The branch gateway attempts to use the first IP address or domain name to establish an IKE connection with the headquarters gateway. If the connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection, and so on.

If a remote terminal (for example, an AP) needs the address allocated by the local end, you can configure the address pool index at the local end. The device allocates an address to the remote user from the IP address pool with the specified index. (You can specify the IP address pool index for both authentication and non-authentication users. The device allocates addresses to authentication uses based on AAA information, and to non-authentication users based on service scheme configured using the service-scheme (IKE peer view) command.)

In NAT traversal scenarios, when two ends use IKEv2, you can run the remote-address authentication-address start-ipv4-address [ end-ipv4-address ] command to specify the pre-NAT IP address or IP address segment as the authentication address if IP addresses need to be verified.

Prerequisites

If the vpn-instance vpn-instance-name parameter is specified, a VPN instance must have been created by using the ip vpn-instance command and a route distinguisher must have been configured by using the route-distinguisher command.

Precautions

When an IPSec policy is used, if the local device functions as the initiator, run the remote-address command so that the initiator can use this address to search for the responder. Because both ends may be the initiator, run the remote-address command at both ends. The remote-address command is not required when the IKE peer functions as the responder and uses an IPSec policy template to establish an IPSec policy.
You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.
When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.
When an IPSec profile is used, the destination address of the IPSec tunnel interface configured using the destination command is preferentially used as the remote address for IKE negotiation. When the remote-address and destination commands are configured at the same time, ensure that the configured IP addresses are the same; otherwise, IKE negotiation will fail. To implement IKE peer redundancy, do not configure the destination command on the IPSec tunnel interface. Instead, configure the remote-address command on the IKE peer referenced by the IPSec profile.
The remote IP address (remote-address) at the local end must be the same as the local IP address (local-address) at the remote end.
For a multi-CPU device, only one remote-address can be configured for an IKE peer.
If more than one remote IP address or domain name is configured, the specified vpn-instance-name must be the same.
If the command remote-address start-ip-address end-ip-address is configured, the device can only function as the IKE negotiation responder.
If multiple remote IP addresses are configured, the device with redundant addresses must function as the IKE negotiation initiator.
If both tunnel local and remote-address are configured, IP addresses of the same version must be specified.
IPv4 and IPv6 addresses cannot be configured on the device simultaneously. If remote-address specifies a domain name and IPSec does not obtain an IP address based on the domain name, you can configure an address or domain name of a different IP version. However, the specified domain name and configured address or domain name cannot take effect simultaneously, and only the IP address that IPSec obtains first takes effect.
When an IPSec policy is applied to a tunnel interface to establish an IPSec 6 tunnel, the IP address of the remote tunnel interface needs to be specified using remote-address.
In dual-system hot backup scenarios, the local IP address of an IPSec tunnel cannot be configured as the peer IP address by using the remote-address command in the IKE peer view. Otherwise, the standby device cannot back up the IPSec tunnel information generated by hosts based on the IKE peer.

Example

# Set the remote IP address of IKE peer peer1 to 10.1.1.1.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] remote-address 10.1.1.1

# Configure IKE peer peer1 to use IP address pool 1.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] remote-address ip-pool 1