No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
A2A VPN Configuration Commands

A2A VPN Configuration Commands

NOTE:

AR502G-L-D-H and AR502GR-L-D-H do not support A2A VPN.

The AR510 series do not support A2A VPN.

V200R007C00SPC600PWE does not support A2A VPN.

display ipsec gdoi-policy

Function

The display ipsec gdoi-policy command displays GDOI policy information.

Format

display ipsec gdoi-policy [ policy-name [ seq-number ] ]

Parameters

Parameter

Description

Value

policy-name

Displays detailed information about the GDOI policy with a specified name. This parameter is specified by running the ipsec policy (system view) command.

The value must be an existing GDOI policy name.

seq-number

Displays information about the GDOI policy with a specified sequence number. This parameter is specified by running the ipsec policy (system view) command.

The value must be an existing GDOI policy sequence number.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display detailed GDOI policy information.

<Huawei> display ipsec gdoi-policy
===========================================
Gdoi policy group: "pol"
Using interface: GigabitEthernet0/0/0
=========================================== 
   Sequence number: 10
   Group identity : 1234
   Key server ID  : 192.168.100.1(active)
                  : 192.168.100.2
   Peer name      : rut
   Local acl      :3000
   GM reregister  : 2012-7-4 13:19:22
   Rekey received : 2012-7-4 13:29:22 
   Rekey received cumulative : 22
   Rekey received after register : 22
   Rekey ack sent : 0
     
   ACL Downloaded From KS 192.168.100.1:
    Protocol : 0/permit
    Flow source       : 10.0.0.0/255.0.0.0 0/0
    Flow destination  : 10.1.0.0/255.0.0.0 0/0   
 
   TEK POLICY:
    SA mode:normal
    SPI: 0xF72C50FC(4146876668)
    Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
    SA remaining lifetime (secs): 42
    Anti-replay (time based) :disable

   KEK POLICY: 
    Rekey transport type        : multicast
    Lifetime (secs)             : 70449
    Encrypt algorithm           : 3DES
    Encrypt key size            : 192
    Signature hash algorithm    : HMAC_AUTH_SHA
    Signature key length (bits) : 1024
    Signature algorithm         : SIG_ALG_RSA 
NOTE:

The ESP-ENCRYPT-3DES-192, ESP-AUTH-MD5, 3DES, HMAC_AUTH_SHA and SIG_ALG_RSA algorithms have security risks; therefore, exercise caution when you use them.

Table 10-39  Description of the display ipsec gdoi-policy command output

Item

Description

Gdoi policy group

Name of the GDOI policy group. To create a GDOI policy, run the ipsec policy (system view) command.

Using interface

Interface to which a GDOI policy is applied. To apply a GDOI policy to an interface, run the ipsec policy (interface view) command.

Sequence number

Sequence number of the applied IPSec policy. To create a GDOI policy, run the ipsec policy (system view) command.

Group identity

GDOI group ID.

Key server ID

IP address of the KS.

Peer name

Name of the referenced IKE peer. To create an IKE peer, run the ike-peer command.

Local acl

Number of a local ACL. To reference an ACL, run the security acl command.

GM reregister

Time at which a GM registers with the KS.

Rekey received

Time at which a GM receives Rekey messages.

Rekey received cumulative

Total number of Rekey messages received by a GM.

Rekey received after register

Number of Rekey messages received by a GM after it registers with the KS.

Rekey ack sent

Number of responses to unicast Rekey messages sent by a GM.

ACL Downloaded From KS

ACL downloaded from the KS by the GM.

Protocol

Number of the protocol data flows of which are protected by the SA.

Flow source

Source address of encryption data flows.
  • The value 10.0.0.0 indicates the network segment address of the source IP address.

  • The value 255.0.0.0 indicates the network mask.

  • The value 0/0 indicates the ACL number and port number.

Flow destination

Destination address of encryption data flows.
  • The value 10.1.0.0 indicates the network segment address of the destination IP address.

  • The value 255.0.0.0 indicates the network mask.

  • The value 0/0 indicates the ACL number and port number.

TEK POLICY

Policy for the traffic encryption key.

SA mode

TEK SA mode.

SPI

Security parameter index.

Proposal

A2A VPN Security proposal name referenced in a GDOI policy.

SA remaining lifetime (secs)

Remaining lifetime of the TEK SA.

Anti-replay (time based)

Time-based anti-replay. This parameter is not supported.

KEK POLICY

Policy for key encryption key.

Rekey transport type

Type of the received Rekey message.
  • unicast
  • multicast

Lifetime (secs)

Remaining lifetime of the KEK SA.

Encrypt algorithm

Encryption algorithm used in a GDOI policy.

Encrypt key size

Private key of the encryption algorithm.

Signature hash algorithm

Hash algorithm used to calculate a signature.

Signature key length (bits)

Private key length of the signature.

Signature algorithm

Signature algorithm used in a GDOI policy.

display ipsec gdoi-sa

Function

The display ipsec gdoi-sa command displays GDOI SA information.

Format

display ipsec gdoi-sa [ policy-name [ seq-number ] ]

Parameters

Parameter

Description

Value

policy-name

Displays the SA established through a specified GDOI policy. This parameter is specified by running the ipsec policy (system view) command.

The value must be an existing GDOI policy name.

seq-number

Specifies the sequence number of the GDOI policy. This parameter is specified by running the ipsec policy (system view) command.

The value must be an existing GDOI policy sequence number.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display detailed information about the SA established through a GDOI policy.

<Huawei> display ipsec gdoi-sa
===============================
Interface: GigabitEthernet0/0/0
 Path MTU: 1500
===============================
  -----------------------------
  Gdoi policy name: "policy1"
  Sequence number : 10
  -----------------------------

      [TEK SA]
      Protected vrf: 0
      Protocol     : 0
      Flow source       : 10.0.0.0/255.0.0.0 0/0
      Flow destination  : 192.0.0.0/255.0.0.0 0/0

      Inpacket count            : 0
      Inpacket decap count      : 0
      Outpacket count           : 0
      Outpacket encap count     : 0
      Inpacket drop count       : 0
      Outpacket drop count      : 0

      SA mode : normal
      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
      SA remaining lifetime (secs) : 127
      Anti-replay (time based) : disable

      [KEK POLICY]
      Rekey transport type        : multicast
      Lifetime (secs)             : 70449
      Encrypt algorithm           : 3DES
      Encrypt key size            : 192
      Signature hash algorithm    : HMAC_AUTH_SHA
      Signature key length (bits) : 1024
      Signature algorithm         : SIG_ALG_RSA
NOTE:

ESP-ENCRYPT-DES-64, ESP-AUTH-MD5, HMAC_AUTH_SHA, and 1024-bit SIG_ALG_RSA are insecure, and have potential security risks. Exercise caution when you use them.

Table 10-40  Description of the display ipsec gdoi-sa command output

Item

Description

Interface

Interface to which a GDOI policy is applied. To apply a GDOI policy to an interface, run the ipsec policy (interface view) command.

Path MTU

MTU of the interface.

Gdoi policy name

Name of the applied GDOI policy. To create a GDOI policy, run the ipsec policy (system view) command.

Sequence number

Sequence number of the applied GDOI policy. To create a GDOI policy, run the ipsec policy (system view) command.

TEK SA

SA of the traffic encryption key.

Protected vrf

VPN instance protected by A2A VPN. To specify the VPN instance bound to A2A VPN, run the sa binding vpn-instance (IKE peer view) command.

Protocol

Number of the protocol data flows of which are protected by the SA.

Flow source

Source address of encryption data flows.
  • The value 10.0.0.0 indicates the network segment address of the source IP address.

  • The value 255.0.0.0 indicates the network mask.

  • The value 0/0 indicates the ACL number and port number.

Flow destination

Destination address of encryption data flows.
  • The value 192.0.0.0 indicates the network segment address of the destination IP address.

  • The value 255.0.0.0 indicates the network mask.

  • The value 0/0 indicates the ACL number and port number.

Inpacket count

Number of incoming Security packets.

Inpacket decap count

Number of times that the device decapsulates incoming packets.

Outpacket count

Number of outgoing Security packets.

Outpacket encap count

Number of times that the device encapsulates outgoing packets.

Inpacket drop count

Number of discarded incoming packets.

Outpacket drop count

Number of discarded outgoing packets.

SA mode

TEK SA mode.

Proposal

A2A VPN Security proposal name referenced in a GDOI policy.

SA remaining lifetime (secs)

Remaining lifetime of the TEK SA.

Anti-replay (time based)

Time-based anti-replay. This parameter is not supported.

KEK POLICY

Policy for the traffic encryption key.

Rekey transport type

Type of the received Rekey message.
  • unicast
  • multicast

Lifetime (secs)

Remaining lifetime of the KEK SA.

Encrypt algorithm

Encryption algorithm used in a GDOI policy.

Encrypt key size

Private key length of the encryption algorithm.

Signature hash algorithm

Hash algorithm used by a signature.

Signature key length (bits)

Private key length of the signature.

Signature algorithm

Signature algorithm used in a GDOI policy.

gdoi sa direction receive-option

Function

The gdoi sa direction receive-option command sets the SA mode to Receive_Option. In this mode, the device can receive both cipher text and plain text packets but can send only cipher text packets.

Format

gdoi sa direction receive-option

Parameters

None

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

When you deploy A2A VPN on an existing network, a GM that has joined a group such as GM_1 can only send and receive cipher text packets, but the other GMs that have not joined the group can only send and receive plain text packets. In this case, the other GMs will discard encrypted packets from GM_1 because they cannot decrypt them, and GM_1 will discard plain text packets from the other GMs, resulting in service interruption. After you run this command on the GMs, A2A VPN can be deployed smoothly in several stages, preventing service interruption.

Example

# Set the SA mode to Receive_Option.

<Huawei> gdoi sa direction receive-option

group identity number

Function

The group identity number command configures an identifier for a GDOI group.

The undo group identity number command deletes the identifier of a GDOI group.

By default, a GDOI group has no identifier.

Format

group identity number { group-number | ip-address }

undo group identity number

Parameters

Parameter

Description

Value

group-number

Specifies the GDOI group ID.

The value is an integer that ranges from 0 to 4294967295.

ip-address

Specifies the IP address of the GDOI group.

The value is in dotted decimal notation.

Views

GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to configure an identifier for a GDOI group in A2A VPN. The KS determines the GDOI group to which a GM is to be added based on the group ID submitted by the GM.

Precautions

You can configure either a group ID or an IP address for a GDOI group at one time. If you run the command multiple times, only the latest configuration takes effect.

Example

# Configure an identifier for a GDOI group.

<Huawei> system-view
[Huawei] ipsec policy mypolicy 4 gdoi
[Huawei-ipsec-policy-gdoi-mypolicy-4] group identity number 10

ike-peer

Function

The ike-peer command references an IKE peer.

The undo ike-peer command cancels the configuration.

By default, no IKE peer is referenced.

Format

ike-peer peer-name

undo ike-peer

Parameters

Parameter

Description

Value

peer-name

Specifies the name of the referenced IKE peer.

The value is an existing IKE peer name.

Views

IPSec policy view, IPSec policy template view, IPSec profile view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you configure IKE negotiation, you need to reference an IKE peer in the specified view.

Prerequisites

An IKE peer has been created using the ike peer command in the system view.

Example

# Reference the IKE peer mypeer in an IPSec policy.
<Huawei> system-view
[Huawei] ike peer mypeer v1
[Huawei-ike-peer-mypeer] quit
[Huawei] ipsec policy map1 10 isakmp
[Huawei-ipsec-policy-isakmp-map1-10] ike-peer mypeer
# Reference the IKE peer mypeer in an IPSec profile.
<Huawei> system-view
[Huawei] ike peer mypeer v1
[Huawei-ike-peer-mypeer] quit
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] ike-peer mypeer
# Reference the IKE peer mypeer in the GDOI policy.
<Huawei> system-view
[Huawei] ike peer mypeer v1
[Huawei-ike-peer-mypeer] quit
[Huawei] ipsec policy map2 10 gdoi
[Huawei-ipsec-policy-gdoi-map2-10] ike-peer mypeer

ipsec gdoi multicast-rekey ip

Function

The ipsec gdoi multicast-rekey ip command configures an IP address for multicast Rekey messages.

The undo ipsec gdoi multicast-rekey ip command deletes an IP address for multicast Rekey messages.

By default, no IP address is configured for multicast Rekey messages.

Format

ipsec gdoi multicast-rekey ip ip-address

undo ipsec gdoi multicast-rekey ip

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address for multicast Rekey messages.

The value ranges from 224.0.1.0 to 239.255.255.255, in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an IP address for multicast Rekey messages is configured, GMs with this IP address and a UDP port number 848/4500 update TEK SAs or KEK SAs based on the multicast Rekey messages.

Precautions

The IP address for multicast Rekey messages configured on the GM must be the same as that configured on the KS.

After you configure this command, the following commands must be configured; otherwise, the configuration does not take effect.
  • Run the multicast routing-enable command to enable the multicast routing function.

  • Run the pim dm command to enable the PIM-DM function on an interface.

  • Run the igmp static-group command to configure a static multicast group on an interface.

Example

# Set the IP address for multicast Rekey messages to 225.0.0.1.
<Huawei> system-view
[Huawei] ipsec gdoi multicast-rekey ip 225.0.0.1

ipsec policy (system view)

Function

The ipsec policy command creates an IPSec policy and displays the IPSec policy view.

The undo ipsec policy command deletes an IPSec policy.

By default, no IPSec policy is configured.

Format

ipsec policy policy-name seq-number [ gdoi | isakmp [ template template-name ] | manual ]

undo ipsec policy policy-name [ seq-number ]

Parameters

Parameter

Description

Value

policy-name

Specifies the name of an IPSec policy.

The value is a string of 1 to 15 case-sensitive characters without question marks (?) or spaces.

seq-number

Specifies the sequence number of an IPSec policy.

The value is an integer that ranges from 1 to 10000. A smaller value indicates a higher IPSec policy priority.

gdoi

Indicates that an IPSec SA is established in GDOI mode.

-

isakmp

Indicates that an IPSec policy is established in IKE negotiation mode.

-

template template-name

Indicates that the IPSec policy template is applied to the IPSec policy. template-name specifies the name of an IPSec policy template.

The value is a string of 1 to 15 case-sensitive characters without question marks (?) or spaces.

manual

Indicates that an IPSec SA is created manually.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec policy is identified by its name and sequence number and multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group.

  • GDOI mode

    This mode can be used when you deploy A2A VPNs.

  • Manual mode

    IPSec parameters including the authentication/encryption key and SPI on IPSec peers must mirror each other. That is, IPSec parameters of the inbound SA at the local end must be the same as those of the outbound SA at the remote end, and IPSec parameters of the outbound SA at the local end must be the same as those of the inbound SA at the remote end.

  • IKE negotiation mode: IPSec parameters are automatically negotiated through IKE. This mode is classified into ISAKMP and IPSec policy template:

    • ISAKMP

      Negotiated IPSec parameters are defined in the IPSec policy view, and the initiator and responder must use the same IPSec parameters.

    • IPSec policy template

      Negotiated IPSec parameters are defined in the IPSec policy template view. The initiator determines optional parameters, and the responder accepts the parameters delivered by the initiator. If an IPSec policy template is configured at the local end, the local end can only function as the responder to receive negotiation requests.

      An IPSec policy template can be used to configure multiple IPSec policies, reducing the workload of establishing multiple IPSec tunnels. An IPSec policy template can be applicable to specific scenarios, for example, scenario where the remote IP address is variable or unknown (IP address obtained using PPPoE) and the remote peers are allowed to initiate negotiation to the local end.

      ACLs in this mode are optional. If no ACL is configured, the responder uses the ACL configured on the initiator to protect data flows.

The manual mode applies to small-scale networks or scenarios where only a few IPSec peers exist. The IKE negotiation mode applies to medium- and large-scale networks. The GDOI mode applies when multiple branches exist and a large number of multicast services need to be encrypted.

Follow-up Procedure

Define negotiated IPSec parameters in the IPSec policy view and run the ipsec policy (interface view) command to apply the IPSec policy to an interface.

Precautions

  • If an IPSec policy template is used to create an IPSec policy, the local end can only respond to negotiation initiated by the remote end, and cannot initiate negotiation.

  • When creating an IPSec policy, you must specify the SA creation mode. If you have entered the IPSec policy view, you do not need to enter the SA creation mode.
  • Before modifying the negotiation mode of a created IPSec policy, delete the IPSec policy and create an IPSec policy again.

Example

# Create an IPSec policy policy1 whose sequence number is 100, and set the SA creation mode to manual.

<Huawei> system-view
[Huawei] ipsec policy policy1 100 manual
[Huawei-ipsec-policy-manual-policy1-100] 

qos group

Function

The qos group command configures the QoS group to which the IPSec packets belong.

The undo qos group command deletes the QoS group to which the IPSec packets belong.

By default, no QoS group is configured.

Format

qos group qos-group-value

undo qos group

Parameters

Parameter

Description

Value

qos-group-value

Specifies the ID of the QoS group.

The value is an integer that ranges from 1 to 99.

Views

Manual IPSec policy view, IPSec policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both an IPSec policy and a QoS policy are used on an interface, you can run this command to specify the QoS group to which the IPSec packets belong to facilitate QoS management.

Follow-up Procedure

After QoS for IPSec packets is enabled, run the if-match qos-group qos-group-value command in the traffic classifier view to configure a matching rule based on the QoS group.

Example

# Configure the QoS group to which the IPSec packets belong in the IPSec policy view.

<Huawei> system-view
[Huawei] ipsec policy policy1 10 isakmp
[Huawei-ipsec-policy-isakmp-policy1-10] qos group 30

qos pre-classify

Function

The qos pre-classify command enables pre-extraction of original IP packets.

The undo qos pre-classify command disables pre-extraction of original IP packets.

By default, pre-extraction of original IP packets is disabled.

Format

qos pre-classify

undo qos pre-classify

Parameters

None

Views

Tunnel interface view, IPSec Efficient VPN policy view, Manual IPSec policy view, IPSec policy view , IPSec policy template view, IPSec profile view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In tunnel mode, QoS parameters such as the packet header and protocol type in original packets are hidden after IP packets are encapsulated through IPSec. Although IPSec uses the DSCP field in original packets as the DSCP field in the IP packet header, some QoS solutions require quintuple information. The encryption device can pre-extract quintuple information including the source address, destination address, protocol type, source port number, and destination port number to facilitate refined QoS management on IPSec packets.

In an A2A VPN solution, the device uses the IP header of original packets as the IP header for encapsulated A2A VPN packets. Therefore, you do not need to configure this command if the device classifies packets based on the source address, destination address, or protocol type only.

Follow-up Procedure

After pre-extraction of original IP packets is enabled, run the if-match acl { acl-number | acl-name } command in the traffic classifier view to configure a matching rule based on the ACL.

Example

# Enable pre-extraction of original IP packets in the IPSec policy view.

<Huawei> system-view
[Huawei] ipsec policy policy1 10 isakmp
[Huawei-ipsec-policy-isakmp-policy1-10] qos pre-classify

reset ipsec gdoi-sa

Function

The reset ipsec gdoi-sa command deletes TEK SAs and KEK SAs of all created GDOI policies.

Format

reset ipsec gdoi-sa [ policy policy-name [ seq-number ] ]

Parameters

Parameter

Description

Value

policy policy-name [ seq-number ]

Specifies the name and sequence number of a GDOI policy. The seq-number parameter is optional. If seq-number is not specified, all the TEK SAs and KEK SAs in the GDOI policy group specified by policy-name are deleted. This parameter is specified by running the ipsec policy (system view) command.

The value must be an existing GDOI policy name and sequence number.

Views

User view

Default Level

3: Management level

Usage Guidelines

When running the reset ipsec gdoi-sa command, pay attention to the following:

  • If no parameter is specified, the TEK SAs and KEK SAs of all GDOI policies are deleted.

  • If both policy and seq-number are specified, the TEK SAs and KEK SAs of the GDOI policy with the specified name and sequence is deleted. If only policy is specified, all the TEK SAs and KEK SAs in the specified GDOI policy group are deleted.

Example

# Delete the TEK SAs and KEK SAs of all GDOI policies.

<Huawei> reset ipsec gdoi-sa

# Delete all the TEK SAs and KEK SAs in the GDOI policy group policy1.

<Huawei> reset ipsec gdoi-sa policy policy1

# Delete the TEK SA and KEK SA of the GDOI policy with the name policy1 and sequence number 4.

<Huawei> reset ipsec gdoi-sa policy policy1 4
Related Topics

security acl

Function

The security acl command references an ACL.

The undo security acl command cancels the configuration.

By default, no ACL is referenced.

Format

security acl acl-number [ dynamic-source ]

undo security acl

Parameters

Parameter

Description

Value

acl-number

Specifies the number of an ACL.

An integer ranging from 3000 to 3999.

dynamic-source

Indicates that the IP address of the applied interface in the IPSec policy replaces the source IP address in its referenced ACL. This parameter is only valid in IPSec policy view.

-

Views

Manual IPSec policy view, IPSec policy view, IPSec policy template view, Efficient VPN policy view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

The security acl command references an ACL that defines data flows to be protected by IPSec. In practice, you need to configure an ACL to define data flows to be protected and apply the ACL to an IPSec policy to protect the data flows.

When the ACL to be referenced is difficult to configured in advance and the branch subnet uses the translated dynamic dialup address to connect to the headquarters network through IPSec, specify dynamic-source to use the IP address of the outbound interface in the IPSec policy to replace the source IP address in its referenced ACL. The subnet mask uses 32 bits.

Example

# Reference ACL 3100 in a manually created IPSec policy.

<Huawei> system-view
[Huawei] acl number 3100
[Huawei-acl-adv-3100] rule permit tcp source 10.1.1.1 0.0.0.0 destination 10.1.1.2 0.0.0.0
[Huawei-acl-adv-3100] quit
[Huawei] ipsec policy policy1 100 manual
[Huawei-ipsec-policy-manual-policy1-100] security acl 3100
# Reference ACL 3101 in an IPSec policy, and replace the source IP address in its referenced ACL with the IP address of the applied interface in the IPSec policy.
<Huawei> system-view
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip destination 10.1.1.2 0.0.0.0
[Huawei-acl-adv-3101] quit
[Huawei] ipsec policy policy1 10 isakmp
[Huawei-ipsec-policy-isakmp-policy1-10] security acl 3101 dynamic-source
# Reference ACL 3101 in an Efficient VPN policy.
<Huawei> system-view
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit tcp source 10.1.1.1 0.0.0.0 destination 10.1.1.2 0.0.0.0
[Huawei-acl-adv-3101] quit
[Huawei] ipsec efficient-vpn name mode network
[Huawei-ipsec-efficient-vpn-name] security acl 3101
# Reference ACL 3101 in a GDOI policy.
<Huawei> system-view
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip destination 10.1.1.2 0.0.0.0
[Huawei-acl-adv-3101] quit
[Huawei] ipsec policy policy1 10 gdoi
[Huawei-ipsec-policy-gdoi-policy1-10] security acl 3101

tunnel local

Function

The tunnel local command configures an IP address for the local end of an IPSec tunnel or A2A VPN.

The undo tunnel local command deletes the IP address of the local end of an IPSec tunnel or A2A VPN.

By default, no IP address is configured for the local end of an IPSec tunnel or A2A VPN.

Format

tunnel local { ip-address | binding-interface }

undo tunnel local

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address for the local end of an IPSec tunnel or A2A VPN.

THe value is a valid IPv4 address in dotted decimal notation.

binding-interface

Specifies the primary address of the interface to which the IPSec policy is applied as the IP address for the local end of an IPSec tunnel or A2A VPN.

NOTE:
This parameter takes effect only in the IPSec policy view and GDOI policy view.

-

Views

Manual IPSec policy view, IPSec policy view, Efficient VPN policy view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to specify a start point for an IPSec tunnel or A2A VPN.

For a manually created IPSec policy, run the tunnel local ip-address command to configure an IP address for the local end before you can create an SA. Only after correct IP addresses are configured for the local end (start point) and remote end (end point), an IPSec tunnel can be established between the two ends.

For an ISAKMP or GDOI policy, you do not need to configure an IP address for the local end of an IPSec tunnel or A2A VPN. During SA negotiation, the device will select an appropriate address based on routing.
  • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local ip-address command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel or A2A VPN. Otherwise, run the tunnel local binding-interface command to specify the IP address of the interface as the IP address for the local end of an IPSec tunnel or A2A VPN.
  • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local ip-address command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel or A2A VPN. Otherwise, run the tunnel local binding-interface command to specify the IP address of the interface as the IP address for the local end of an IPSec tunnel or A2A VPN.
  • If equal-cost routes exist between the local and remote ends, run the tunnel local { ip-address | binding-interface } command to configure an IP address for the local end of an IPSec tunnel or A2A VPN.

Precautions

If an IPSec policy is created manually, the local address (tunnel local) at the local end must be the same as the remote address (tunnel remote) at the remote end.

If an IPSec policy is created in IKE negotiation mode and this command is used:
  • The tunnel local at the local end must be the same as the remote-address (IKE peer view) that the remote end references from the IKE peer.
  • The tunnel local command takes effect only when the referenced IKE peer is configured with the local address.

Example

# Configure the IP address for the local end of the IPSec tunnel to 10.1.1.1 in the manual IPSec policy view.

<Huawei> system-view
[Huawei] ipsec policy policy1 100 manual
[Huawei-ipsec-policy-manual-policy1-100] tunnel local 10.1.1.1
# Configure the primary IP address of the interface to which the IPSec policy using IKE negotiation is applied as the IP address of the local end in an IPSec tunnel.
<Huawei> system-view
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] tunnel local binding-interface
# Configure the primary address of the interface to which the GDOI policy is applied as the IP address for the local end.
<Huawei> system-view
[Huawei] ipsec policy policy1 100 gdoi
[Huawei-ipsec-policy-gdoi-policy1-100] tunnel local binding-interface
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 47697

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next