No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
tunnel local

tunnel local

Function

The tunnel local command configures an IP address for the local end of an IPSec tunnel or A2A VPN.

The undo tunnel local command deletes the IP address of the local end of an IPSec tunnel or A2A VPN.

By default, no IP address is configured for the local end of an IPSec tunnel or A2A VPN.

Format

tunnel local { ip-address | binding-interface }

undo tunnel local

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address for the local end of an IPSec tunnel or A2A VPN.

THe value is a valid IPv4 address in dotted decimal notation.

binding-interface

Specifies the primary address of the interface to which the IPSec policy is applied as the IP address for the local end of an IPSec tunnel or A2A VPN.

NOTE:
This parameter takes effect only in the IPSec policy view and GDOI policy view.

-

Views

Manual IPSec policy view, IPSec policy view, Efficient VPN policy view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to specify a start point for an IPSec tunnel or A2A VPN.

For a manually created IPSec policy, run the tunnel local ip-address command to configure an IP address for the local end before you can create an SA. Only after correct IP addresses are configured for the local end (start point) and remote end (end point), an IPSec tunnel can be established between the two ends.

For an ISAKMP or GDOI policy, you do not need to configure an IP address for the local end of an IPSec tunnel or A2A VPN. During SA negotiation, the device will select an appropriate address based on routing.
  • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local ip-address command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel or A2A VPN. Otherwise, run the tunnel local binding-interface command to specify the IP address of the interface as the IP address for the local end of an IPSec tunnel or A2A VPN.
  • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local ip-address command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel or A2A VPN. Otherwise, run the tunnel local binding-interface command to specify the IP address of the interface as the IP address for the local end of an IPSec tunnel or A2A VPN.
  • If equal-cost routes exist between the local and remote ends, run the tunnel local { ip-address | binding-interface } command to configure an IP address for the local end of an IPSec tunnel or A2A VPN.

Precautions

If an IPSec policy is created manually, the local address (tunnel local) at the local end must be the same as the remote address (tunnel remote) at the remote end.

If an IPSec policy is created in IKE negotiation mode and this command is used:
  • The tunnel local at the local end must be the same as the remote-address (IKE peer view) that the remote end references from the IKE peer.
  • The tunnel local command takes effect only when the referenced IKE peer is configured with the local address.

Example

# Configure the IP address for the local end of the IPSec tunnel to 10.1.1.1 in the manual IPSec policy view.

<Huawei> system-view
[Huawei] ipsec policy policy1 100 manual
[Huawei-ipsec-policy-manual-policy1-100] tunnel local 10.1.1.1
# Configure the primary IP address of the interface to which the IPSec policy using IKE negotiation is applied as the IP address of the local end in an IPSec tunnel.
<Huawei> system-view
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] tunnel local binding-interface
# Configure the primary address of the interface to which the GDOI policy is applied as the IP address for the local end.
<Huawei> system-view
[Huawei] ipsec policy policy1 100 gdoi
[Huawei-ipsec-policy-gdoi-policy1-100] tunnel local binding-interface
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35314

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next