No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Networking

Basic Networking

As shown in Figure 6-1, the basic A2A VPN networking is composed of two types of devices: key server (KS) and group member (GM). A2A VPN provides a group-based IPSec security model. A group is a collection of GDOI policies, and all the GMs in the same group share the same GDOI policies and keys.

Figure 6-1  Basic A2A VPN networking


GMs are a group of network devices that share the same GDOI policies and keys and have the same security requirements. Generally, GMs are branch egress routers. A GM registers with the KS, and obtains GDOI policies from the KS to communicate with other GMs in the same group. A GM provides a group identifier (ID) when it registers with the KS, and the KS delivers matching GDOI policies and keys to the GM based on the group ID.


The KS is a network device that creates and maintains GDOI policies and keys. Generally, the KS is a router located beside the egress router of a data center. The KS responds to registration requests from GMs and sends Rekey messages to GMs. After a GM registers with the KS, the KS delivers the GDOI policies and keys to the GM. The keys will be updated periodically. Before the key lifetime is reached, the KS sends Rekey messages to instruct all the GMs to update keys.

The KS delivers two types of keys:
  • Traffic encryption key (TEK): shared by all the GMs in a group and used for encryption and decryption of traffic between GMs.

  • Key encryption key (KEK): shared by all the GMs in a group and used for encryption and decryption of Rekey messages between the KS and GM.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153633

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next