No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DSVPN Protected by IPSec

DSVPN Protected by IPSec

DSVPN uses an mGRE tunnel to transmit data, but data is not encrypted over the mGRE tunnel and data transmission on the Internet is insecure. You are advised to deploy IPSec to ensure secure communication data transmission between Spokes when DSVPN is used.

Figure 4-8  DSVPN protected by IPSec

On a DSVPN network, IPSec profiles are configured on the Hub and Spokes and bound to mGRE tunnel interfaces. mGRE tunnel setup will trigger IPSec tunnel setup. The implementation is as follows:
  1. All the Spokes on the network send NHRP Registration Request packets to the Hub and report the NHRP mapping entries to IPSec. The Internet Key Exchange (IKE) modules of the Spokes and the Hub negotiate with each other for IPSec tunnel parameters.
  2. The Hub generates local NHRP mapping entries between tunnel addresses and public network addresses of the Spokes based on the NHRP Registration Request packets received. The Hub then sends NHRP Registration Reply packets to the Spokes.
  3. The Spokes trigger an mGRE tunnel immediately when they transmit traffic. For details about how to establish an mGRE tunnel, see Establishing mGRE Tunnels Between Spokes.
  4. After the Spokes establish an mGRE tunnel, the IPSec module obtains NHRP mapping entries, adds or deletes IPSec peers based on the mapping entries, and triggers the Spokes to dynamically establish an IPSec tunnel.
  5. After an IPSec tunnel is established between the Spokes, packets are routed based on the destination IP addresses. If the outbound interface is an mGRE interface, the Spoke searches the NHRP mapping table for the public network address mapping the next hop private address. After obtaining the public network address, the Spoke searches for the IPSec security association (SA) matching the public network address to encrypt the packets and send them.
Compared with IPSec in traditional Hub-Spoke networking, integrating DSVPN and IPSec has the following advantages:
  • Traditional IPSec uses ACLs to identify unicast traffic to be encrypted. The ACL configuration is complex and its maintenance is difficult. In DSVPN scenarios, you only need to bind mGRE tunnel interfaces to IPSec profiles, without defining complex ACLs. The network deployment is more simple.
  • Because an IPSec tunnel is dynamically established between Spokes, IPSec packets transmitted between Spokes are not decrypted or encrypted by the Hub. This shortens the packet forwarding delay.
When you deploy IPSec on a DSVPN network, the IPSec encapsulation mode can only be transport if two branches are connected to different NAT devices or the headquarters is connected to a NAT device. This is because NHRP cannot learn post-NAT IP addresses when the IPSec encapsulation mode is tunnel mode.
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 150721

Downloads: 365

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next