No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Discovering or Creating Services

Discovering or Creating Services

You can use the service discovery function to discover services on devices and add them to eSight. You can also create services on eSight and deliver them to devices. eSight allows you to configure IPSec VPN services in batches.

Discovering Services

eSight discovers IPSec VPN services using an ACL to establish an IPSec tunnel or using a tunnel interface to establish an IPSec tunnel.

  • using an ACL to establish an IPSec tunnel: An ACL is configured to define data flows to be protected. You need to configure an IPSec policy and apply the IPSec policy to an interface to protect IPSec packets.
  • using a tunnel interface to establish an IPSec tunnel: An IPSec tunnel established using a tunnel interface is based on routes. In this mode, routes determine the data flows to be protected. Then you need to configure an IPSec profile and apply the IPSec profile to the IPSec tunnel interface to protect IPSec packets.

eSight supports IKE negotiation using Preshared Key, Certificate, or Digital Envelope for authentication to discover IPSec VPN services.

During the IPSec VPN service discovery, eSight automatically synchronizes data from the devices that provide services.

  1. Choose Resource > Network > Security Business > IPSec VPN Management from the main menu.

  2. Choose Service Management > Service Group from the navigation tree on the left.
  3. Click Discover Service.
  4. Click Add, choose the following menus based on the site requirements in the Select Device dialog box that is displayed, and select one or multiple devices.

    • Undiscovered Device: If this menu is chosen, only devices for which service discovery is not performed are displayed in Select Device.
    • All Device: If this menu is chosen, all IPSec devices are displayed in Select Device.

  5. Perform operations of service discovery according to instructions in the wizard.

    Discovery results are automatically assigned to service groups. Services on the Hub-Spoke network are assigned to the Automatic Discovery-Device name service group, and services on other networks are assigned to the Automatic Discovery service group.

Creating Services

  1. Choose Resource > Network > Security Business > IPSec VPN Management from the main menu.

  2. Choose Service Management > Service Group from the navigation tree on the left.
  3. (Optional) If no service group exists, create a service group first. If a service group exists, skip this step.

    1. Click in the toolbar.
    2. Set the service group name, select a networking type, and click Next.
    3. Select an authentication mode and set regional parameters, such as IKE Parameter and IPSec Parameter.
    4. Click OK.

  4. Create services.

    1. On the Service Group page, click Service Group Name for which services are to be created.
    2. Click Create.
    3. Set service-related information, and click Create to configure the data flows to be protected by the IPSec tunnel in the ACL area.
    NOTE:

    In general, only some data flows are transmitted to the peer through the IPSec tunnel, and others are directly forwarded to the Internet. You need to configure traffic rules to specify the data flows to be sent to the IPSec tunnel.

  5. Confirm authentication parameters and click OK.
  6. Deploy services.

    1. Choose Service Management > Service Group from the navigation tree on the left.
    2. Click Service Group Name.
    3. Select services to be deployed to devices, and click in the toolbar.
    4. Click Deploy after device verification succeeds.

Related Operations

You can perform the following operations to modify services, delete services, or change a preshared key.

Task

Procedure

Modifying services

  1. Choose Service Management > Service Group from the navigation tree on the left.
  2. Click Service Group Name.
  3. Click next to the service record to be modified in the Operation column, and modify service-related parameters.
  4. Select the service whose parameters are modified and click in the toolbar to re-deploy the service.

Deleting services

  1. Choose Service Management > Service Group from the navigation tree on the left.
  2. Click Service Group Name.
  3. Select the service record to be deleted, and click in the toolbar.
  4. Click in the toolbar after service deletion succeeds.

Changing a preshared key

Select one or multiple service groups, click , and change the preshared key for all services in the selected service group or service groups.

You can periodically change the preshared key for IPSec VPN services to prevent unauthorized users from obtaining the preshared key.

NOTE:
  • If you select Reset IPSec SA, IPSec VPN services are interrupted. After an IPSec SA is set up through renegotiation, services are restored.
  • If you do not select Reset IPSec SA, the new preshared key does not take effect immediately and IPSec VPN services are not interrupted. After IPSec VPN services are aged out, the new preshared key is used for renegotiation.
Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 332507

Downloads: 664

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next