No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical A2A VPN Networking

Typical A2A VPN Networking

Although the traditional IPSec VPN can meet the encryption requirement, it cannot implement instant interconnection between enterprise branches and cannot provide better QoS or multicast services. Besides, the network deployment is complex and network maintenance is difficult. With ever increasing network security risks, a WAN interconnection solution is in urgent need for a balance among security, intelligence, and easy management.

A2A VPN uses a KS to manage keys in a centralized manner, shares keys among GDOI group members, and allows for hierarchical encryption and decryption among GMs. Compared with traditional tunnel encryption, this solution simplifies configuration, facilitates network expansion, and improves reliability, providing security for WAN interconnection and intelligent service deployment.

As shown in Figure 6-4, a large-sized enterprise leases an MPLS VPN network (for example, BGP/MPLS IP VPN) from a carrier to construct dedicated lines for connecting its branches across the country. The headquarters and branches need to frequently exchange packets of complex services including data, voice, and video services. These service packets must be encrypted to prevent data tampering.

To meet the enterprise's requirements, a KS is deployed in the headquarters, with shared keys and GDOI policies configured. The GDOI policies define the mode for encrypting service packets transmitted between the branches and headquarters. The egress routers of the headquarters and branches function as GMs. The GMs register with the KS to obtain the shared keys and GDOI policies, which they use to encrypt/decrypt and forward packets. After this solution is deployed, data packets transmitted between the branches or between a branch and headquarters are encrypted; therefore, services can be safely transmitted over the carrier network.

Figure 6-4  Typical A2A VPN networking

The enterprise requires that branch GM_4 can directly communicate with headquarter GM_1, but traffic between GM_4 and other branches must pass through the headquarters. As shown in Figure 6-5, two outbound interfaces are configured on GM_1: one interface is added to group 1 together with GM_2 and GM_3, and the other interface is added to group 2 together with GM_4. GM_4 cannot directly communicate with other branches as they are not in the same group. Traffic between GM_4 and another branch, such as GM_2, must pass through the headquarters.

Figure 6-5  Headquarters router interfaces joining different groups


When the router functions the PE device, it does not support multicast Rekey.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143875

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next