RemoteIdentity statement

Use the RemoteIdentity statement to encapsulate remote IKE identity information. This statement defines a singule or wildcard value remote identity for use in negotiation of dynamic VPN tunnels.

Restriction: This statement is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details.

Syntax


>>-RemoteIdentity--+------+--| Put Braces and Parameters on Separate Lines |-><
                   '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{-----------------------------+----------------------------|
   +-| RemoteIdentity Parameters |-+   
   '-}-----------------------------'   

RemoteIdentity Parameters

|--Identity--+-IpAddr authid------------+-----------------------|
             +-KeyID -+-Ascii authid--+-+   
             |        +-Ebcdic authid-+ |   
             |        '-Hex authid----' |   
             +-Fqdn authid--------------+   
             +-UserAtFqdn authid--------+   
             '-X500dn authid------------'

Parameters

name

A string 1 - 32 characters in length specifying the name of this RemoteIdentity statement.

Rule: If this RemoteIdentity statement is not specified as an inline statement, you must specify a name value.

If you do not specify a name for an inline RemoteIdentity statement, a nonpersistent system name results.

Identity

The identity of a remote security endpoint with which dynamic VPN tunnel negotiations should be allowed. The RemoteIdentity statement supports the following identity types and formats, which can be coded with a wildcard value to indicate a set of remote endpoints:

IpAddr

Indicates that the authid value is an IP address, for example: 1.2.3.4 or 1::9. This value can be coded with a wildcard value as a subnet or range.

The following code is a subnet example:

1.2.3.0/24 or 1::9/124

The following code is a range example:

1.2.3.4-1.2.3.100 or 1::0-1::F

KeyID

Indicates that the authid value is an opaque byte stream. This identity type is intended for use with pre-shared key authentication. The ID value can be specified as an ASCII string, an EBCDIC string, or a hexadecimal string. The maximum length for an ASCII or EBCDIC string is 900 characters. The maximum length for a hexadecimal string is 450 bytes. The hexstring must begin with a 0x.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details.

Examples:

KeyID Ascii SharedKeyValue: The value is treated as an ASCII string. This specification is valuable if the key ID is defined to the other endpoint as an ASCII string.
KeyID Ebcdic SharedKeyValue: The value is treated as an EBCDIC string.
KeyID Hex 0xC1C2C3F1F2F3: The value is treated as a hexadecimal string.

The ASCII or EBCDIC KeyID value can be defined as a quoted string or a single value.

Rules:

A quoted string must start and end with a double-quote (").
A quoted string allows the KeyID value to have embedded blanks for the attribute.
If KeyID value is not a quoted string then it as treated as a single value.

Results:

Leading blanks and trailing blanks within the quoted string are removed.
Within a quoted string, comment indicators, embedded blanks, and additional quotes are treated as part of the value for this attribute.

Restriction: When the value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.

Example KeyID values:

Identity KeyID Ascii   ASC # comment"  value used:  ASC
Identity KeyID EBCDIC  EBC comment     value used:  EBC
Identity KeyID ASCII   "ASC 98Z"       value used:  ASC 98Z
Identity KeyID EBCDIC  EBC 98Z"        value used:  EBC
Identity KeyID ASCII   "AsC 98Z        value used:  "AsC
Identity KeyID EBCDIC  "Ebc " " Ebc"   value used:  Ebc " " Ebc
Identity KeyID ASCII   "Asc Asc" "     value used:  Asc Asc"

Fqdn

Indicates that the authid value is a fully qualified domain name or host name. For example, vnet.ibm.com. The maximum length accepted is 1024 characters. The Fqdn value cannot begin or end with a dot (.) and cannot contain consecutive dots.

The Fqdn value can be coded with a wildcard value in the leftmost portion preceding the first period. For example, *.ibm.com is allowed.

The leftmost portion cannot be a partial wildcard value. For example, *net.ibm.com is not allowed.

UserAtFqdn

Indicates that the authid value is a user at a fully qualified domain name or host name. The user name cannot contain a blank.

For example, ibm@vnet.ibm.com is allowed. The maximum length accepted is 1024 characters. The UserAtFqdn value cannot begin or end with a dot (.) and cannot contain consecutive dots.

The user portion can be a wildcard value (for example, *@vnet.ibm.com). Alternatively, the leftmost portion of the Fqdn value can be a wildcard value. For example, *.ibm.com is allowed.

X500dn

Indicates that the authid value is an X.500 distinguished name (DN). See LocalSecurityEndpoint statement for the DN specification.

The leftmost portion of the DN can be a wildcard value. For example, *,OU=endicott,O=ibm,C=US is allowed.

Non-initial RDNs cannot be a wildcard value. For example, CN="John Doe",*,O=ibm,C=US is not allowed.

Rule: You can use comment indicators and embedded blanks as part of the value for this attribute. For example:

Identity X500DN cn=#my  identity 
value used: cn=#my  identity

Restriction: When the value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.