No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec efficient-vpn (system view)

ipsec efficient-vpn (system view)


The ipsec efficient-vpn command creates an IPSec Efficient VPN policy and displays the IPSec Efficient VPN policy view.

The undo ipsec efficient-vpn command deletes an IPSec Efficient VPN policy.

By default, no IPSec Efficient VPN policy is created in the system.


ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-auto-cfg | network-plus } ]

undo ipsec efficient-vpn efficient-vpn-name






Specifies the name of an Efficient VPN policy.

The value is a string of 1 to 12 case-sensitive characters without question marks (?) or spaces.


Specifies the mode of the Efficient VPN policy.



Indicates the client mode.



Indicates the network mode.



Indicates the network-auto-cfg mode. The Network-auto-cfg mode is supported in IKEv1 only.



Indicates the network-plus mode.



System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many branches and traveling staff connect to the headquarters over IPSec tunnels, similar or duplicate IPSec configurations and other network resource configurations must be configured on the branch and headquarters gateways. The Efficient VPN solution uses centralized IPSec configurations on the headquarters gateway and simplified IPSec configuration on each branch gateway. This solution reduces the manual configuration workload, and facilitates IPSec VPN configuration and maintenance.

The Efficient VPN policy has the following modes:

  • Client mode

    When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface. The remote device automatically enables NAT to translate its original IP address into the obtained IP address, and then uses this IP address to establish an IPSec tunnel with the headquarters.

    The client mode applies to scenarios where traveling staff or small-scale branches connect to the headquarters network through private networks. In client mode, devices connected to the Efficient VPN server or remote devices can use the same IP address. However, the number of devices allowed depends on the number of IP addresses assigned by the Efficient VPN server.

  • Network mode

    In network mode, a remote device does not apply to the Efficient VPN server for an IP address. Instead, the remote device uses the original IP address to establish an IPSec tunnel with the headquarters. Therefore, NAT is not enabled in network mode.

    The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.

  • Network-plus mode

    Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, Telnet, or other management and maintenance operations on the remote device. NAT is not enabled on the remote device.

  • Network-auto-cfg mode

    Compared with the network-plus mode, the remote device applies to the Efficient VPN server for an IP address pool in network-auto-cfg mode. The IP address pool is used for allocating addresses to users.

Follow-up Procedure

Configure negotiation parameters of Efficient VPN in the Efficient VPN policy view, and use the ipsec efficient-vpn (interface view) command to bind the Efficient VPN policy to an interface.


# Create the Efficient VPN policy named vpn1 in client mode.

<Huawei> system-view
[Huawei] ipsec efficient-vpn vpn1 mode client
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 135806

Downloads: 148

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next