No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Tunnel Interface or a Tunnel Template Interface

Configuring a Tunnel Interface or a Tunnel Template Interface

Context

A tunnel interface is a Layer 3 logical interface where the encapsulation protocol of GRE, mGRE, and IPSec, the device can provide IPSec service. The IPSec tunnel interface is established based on IKE negotiation. After you configure a tunnel interface and apply an IPSec profile to the tunnel interface, the IPSec tunnel is set up.

The IP address of an IPSec tunnel interface can be manually configured or dynamically requested through IKEv2 negotiation. Dynamically requesting an IP address of the IPSec tunnel interface through IKEv2 negotiation reduces the configuration and maintenance workload of branch devices in scenarios where many branches connect to the headquarters.

A tunnel template interface is similar to a tunnel interface; however, the tunnel template interface can only function as the responder but not the initiator. Generally, a tunnel template interface is created on the headquarters gateway. When a new branch gateway is added to the network, the headquarters gateway will generate a virtual tunnel interface dynamically.

NOTE:

If you apply an IPSec profile to the tunnel template interface, the IKE peer referenced in the IPSec profile can only be IKEv2.

When multiple branches are connected to the headquarters, if some tunnel interfaces at the headquarters borrow an IP address from a physical interface and borrow an IP address from a physical interface as their source address, the mappings between IKE peers and tunnel interfaces may be incorrect. As a result, an IPSec tunnel fails to be established.

Procedure

  • Configuring a Tunnel Interface

    1. Run system-view

      The system view is displayed.

    2. Run interface tunnel interface-number

      The tunnel interface view is displayed.

    3. Run tunnel-protocol { gre [ p2mp ] | ipsec }

      The encapsulation mode of a tunnel interface is configured.

      NOTE:
      An IPSec profile can be bound to an IPSec tunnel interface only when the tunnel encapsulation mode is set to IPSec, GRE, or Multipoint GRE (mGRE):
      • IPSec: An IPSec tunnel established on a tunnel interface ensures security of unicast data transmitted on the Internet.
      • GRE: The IPSec tunnel interface provides GRE over IPSec and transmits unicast and multicast data. The IPSec tunnel interface first adds a GRE header to packets, and then adds an IPSec header to the packets so that packets are reliably transmitted.
      • mGRE (specified by gre and p2mp): The IPSec tunnel interface provides Dynamic Smart Virtual Private Network (DSVPN) functions. See DSVPN Configuration.
    4. Run the following commands as required.

      • Run ip address ip-address { mask | mask-length } [ sub ]

        A private IPv4 address is configured for the tunnel interface.

      • On the IPSec tunnel interface, run ip address ike-negotiated

        An IPv4 address is requested for the tunnel interface through IKEv2 negotiation.

    5. Run source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type interface-number }

      The source address or source interface is configured.

      You can specify the vpn-instance vpn-instance-name parameter only when the encapsulation mode of a tunnel interface is set to IPSec or mGER.

      NOTE:

      It is recommended that the source interface be specified. This is because a dynamic IP address may affect IPSec configuration recovery.

    6. (Optional) Run destination [ vpn-instance vpn-instance-name ] dest-ip-address

      The destination address is configured.

      When the destination address of an IPSec tunnel interface is not configured, the remote address of the IKE peer referenced by the IPSec profile can be used for initiating negotiation. When the destination address of an IPSec tunnel interface and remote address of an IKE peer are not configured, the local end can only accept the negotiation request initiated by the remote end.

      If the encapsulation mode of a tunnel interface is set to GRE, you need to configure destination addresses at both ends.

    7. (Optional) Run tunnel pathmtu enable

      The device is enabled to learn the maximum transmission unit (MTU) of packets allowed on an IPSec tunnel.

      By default, the device cannot learn the MTU of packets allowed on an IPSec tunnel.

      NOTE:

      This command takes effect only when the encapsulation mode of the tunnel interface is IPSec or GRE and the destination command has been configured on the tunnel interface.

    8. Run ipsec profile profile-name

      An IPSec profile is applied to the tunnel interface.

      By default, no IPSec profile is applied to a tunnel interface.

      Only one IPSec profile can be applied to a tunnel interface, and an IPSec profile can be applied to only one tunnel interface.

      When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec profile command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

    9. (Optional) Run standby interface interface-type interface-number [ priority ]

      A standby tunnel interface is configured and its priority is specified.

      By default, no standby tunnel interface is configured.

      The headquarters provides two gateways and more than two gateways for the branch gateway to improve network reliability. When an IPSec tunnel is set up using virtual tunnel interfaces, you can configure a standby tunnel interface on the branch gateway and apply an IPSec profile to the standby interface to provide a standby link for IPSec setup. Meanwhile, you need to configure the heartbeat or DPD mechanism to implement fast switching between the active and standby tunnels upon a tunnel fault.

  • Configuring a Tunnel Template Interface

    1. Run system-view

      The system view is displayed.

    2. Run interface tunnel-template interface-number

      The tunnel template interface view is displayed.

    3. Configuring the IP address of the tunnel template interface.

      • Run ip address ip-address { mask | mask-length } [ sub ]

        The IPv4 address of the tunnel template interface is configured.

      • Run ip address unnumbered interface interface-type interface-number

        The tunnel template interface is configured to borrow an IP address from another interface.

      You only need to run one of the preceding commands.

    4. Run tunnel-protocol ipsec

      The encapsulation mode of the tunnel template interface is set to IPSec.

    5. Run source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type interface-number }

      The source address or source interface is configured for the tunnel template interface.

      NOTE:

      If the source address of the tunnel template interface is dynamically obtained, you are advised to specify the source interface when running the source command. This prevents the impact of address change on the IPSec configuration.

    6. (Optional) Run tunnel pathmtu enable

      The device is enabled to learn the MTU of packets allowed on an IPSec tunnel.

      By default, the device cannot learn the MTU of packets allowed on an IPSec tunnel.

    7. Run ipsec profile profile-name

      The IPSec profile is applied to a tunnel template interface so that data flows on the interface are protected by IPSec.

      By default, no IPSec profile is applied to the tunnel template interface.

      You can apply only one IPSec profile to a tunnel template interface. An IPSec profile can be applied to only one tunnel template interface.

      When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec profile command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

Configuration Guidelines

  • The IPSec profile configuration applied to a tunnel interface is deleted if you modify the value of the parameter source or destination on the tunnel interface. Apply the IPSec profile to the tunnel interface again.
  • If you modify the tunnel-protocol parameter of a tunnel interface, the IPSec policy group applied to the tunnel interface will be deleted. After the modification, apply IPSec policy group to the tunnel interface as required.
  • The IPSec profile configuration applied to a tunnel template interface is deleted if you modify the value of the parameter source on the tunnel template interface. Apply the IPSec profile to the tunnel template interface again.
  • To disable IPSec negotiation, you must run the shutdown command to shut down the corresponding physical interface but not the tunnel interface.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142009

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next