security vpn ipsec site-to-site peer <peer> authentication remote-id <id>
Specifies the authentication credentials of the VPN peer.
- peer
- Mandatory. The address of the far-end VPN gateway. The format is an IPv4 address, an IPv6 address, a hostname (IPv4 networks only), an authentication ID, or 0.0.0.0.
- id
- The authentication credentials of the remote VPN peer. The id can be an IP address, a hostname (IPv4 networks only), an authentication ID in the form @ id , or, for X.509, a string specifying the “distinguished name” of the certificate for the remote end of the tunnel.
Configuration mode
security {
vpn {
ipsec {
site-to-site {
peer peer {
authentication {
remote-id id
}
}
}
}
}
}Use this command to specify the authentication credentials of the VPN peer. The remote-id is an override to the default authentication - the peer IP address. The remote peer uses an authentication ID for authentication when its IP address is dynamic or it identifies itself with a different IP address or hostname (IPv4 networks only). An example of this is when the remote peer is behind a NAT device.
Another case where remote-id is required is for X.509 authentication. In this case, a string specifying the “distinguished name” of the certificate for the remote end of the tunnel is used. For example, the string “C=US, ST=CA, O=ABC Company, CN=test, emailAddress=root@abc.com” specifies the information included in the X.509 certificate for the peer.
When using IP address as the id, make sure the certificate has Subject Alternative Name with the IP address field. For example:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:192.0.71.1
Use the set form of this command to specify the authentication credentials of the VPN peer.
Use the delete form of this command to remove the remote peer authentication credentials.
Use the show form of this command to view the remote peer authentication credentials.