About Identity Types

The purpose of the identity in an IKEv1 policy is to provide a username for each device during the authentication process. The identity types are as follows:

Local ID

  • IP Address — IP address of the local interface to which return VPN traffic is destined. Use dotted-decimal format: 192.168.1.100. This value must be the IP address for the module interface that handles incoming VPN traffic. If you are using NAT, this address must be the public IP address for that interface.

  • Domain NameFQDN Fully Qualified Domain Name of the local interface to which return VPN traffic is destined; for example, eng.test.procurve.edu. If you choose this option, DNS address resolution will be involved, which may increase processing time.

  • Email Address — An email address for the local host. The email address does not need to be valid.

  • Distinguished Name — Use this type only if you will select DSA Digital Signature Algorithm Signature or RSA Rivest-Shamir-Adleman Signature for the Authentication Method in Step 2 of 3 of the IKEv1 policy. The value is the ASN Abstract Syntax Notation.1 DN that is associated with the certificate, for example: /CN=TMSzl.procurveu.edu

 

If you use certificates for IKE authentication, you must specify either the DN as the identity type or you must specify a type and value of a subject alternate name that was specified when you generated the IPsec certificate request for the local endpoint.

Remote ID

 

To configure the IKE policy for multiple clients in a client-to-site policy, you can use the wildcard format for the remote ID.

  • IP Address — IP address of the remote interface to which VPN traffic is destined. Use dotted-decimal format: 192.168.1.100. If the remote gateway or client is using NAT, this address must be the public IP address for that interface.

  • Wildcard0.0.0.0

  • Domain Name — FQDN of the remote interface to which VPN traffic is destined: for example, eng.develop.procurveu.edu. If you choose this option, DNS address resolution will be involved, which may increase processing time.

  • Wildcard Formatsubdomain.domain.tld top-level domain

  • Email Address — An email address on the remote host. The email address does not need to be valid.

  • Wildcard Format*@domain.tld

  • Distinguished Name — Use this type only if you will select DSA Signature or RSA Signature for the Authentication Method in Step 2 of 3 of the IKEv1 policy. The value is the ASN.1 DN that is associated with the certificate, for example: /CN=TMSzl.procurveu.edu

  • Wildcard/CN=* or  /*

 

If you use certificates for IKE authentication, you must specify an identity type and value that was specified as a subject alternate name when you generated the IPsec certificate request for the remote endpoint. If you specified no subject alternate names, you must use the distinguished name for this field.