No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Enhancements

IPSec Enhancements

L2TP over IPSec

L2TP over IPSec encapsulates packets using L2TP and then IPSec. It uses L2TP to implement user authentication and address allocation and IPSec to ensure secure communication. L2TP over IPSec ensures that branches and traveling employees can connect to the headquarters.

Figure 5-13 illustrates how L2TP over IPSec allows branches to connect to the headquarters.

Figure 5-13  L2TP over IPSec packet encapsulation and tunnel negotiation

Packets are encapsulated by L2TP, and then by IPSec. In the IP header added during IPSec encapsulation, the source IP address is the IP address of the interface to which the IPSec policy is applied, and the destination IP address is the IP address of the peer interface to which the IPSec policy on the remote peer is applied.

IPSec protects the data flows from the source to the destination of the L2TP tunnel. In the new IP header added during L2TP encapsulation, the source IP address is the address of the L2TP source interface, and the destination IP address is the address of the L2TP destination interface. When a branch connects to the headquarters, the source address of the L2TP tunnel is the IP address of the outbound interface on the L2TP access concentrator (LAC), and the destination address is the IP address of the inbound interface on the L2TP network server (LNS).

A public IP address is added to the header in L2TP encapsulation. Compared with the transport mode, an additional public IP address is added in tunnel mode. As a result, the packets are larger and more packets will be fragmented in tunnel mode. Therefore, the transport mode of L2TP over IPSec is recommended.

The L2TP over IPSec negotiation sequence and packet encapsulation process are the same for employees on the move and employees at branch offices. The difference is that, L2TP and IPSec encapsulation is performed on clients when employees on the move connect to the headquarters. The L2TP source address is the private address assigned to the client. The address can be any address in the address pool configured on the LNS. The destination address of the L2TP tunnel is the address of the inbound interface on the LNS.

GRE over IPSec

Integrating the advantages of both GRE and IPSec, GRE over IPSec uses GRE to encapsulate multicast, broadcast, and non-IP packets into common IP packets, and uses IPSec to provide secure communication for encapsulated IP packets. Therefore, broadcast and multicast services such as video conferencing or dynamic routing protocols, can be securely transmitted between the headquarters and branches.

GRE over IPSec encapsulates packets using GRE and then IPSec. The encapsulation can be implemented in tunnel mode or transport mode. The tunnel mode adds an extra IPSec header, which makes the packet longer and more likely to be fragmented. Therefore, the transport mode is recommended.

Figure 5-14  Packet encapsulation and tunnel negotiation in GRE over IPSec

In the IP header added during IPSec encapsulation, the source IP address is the IP address of the interface to which the IPSec policy is applied, and the destination IP address is the IP address of the peer interface to which the IPSec policy on the remote peer is applied.

IPSec protects the data flows from the GRE source address to the GRE destination address. In the IP header added during GRE encapsulation, the source address is the source address of the GRE tunnel, and the destination address is the destination address of the GRE tunnel.

IPSec Multi-instance

IPSec multi-instance is used to provide the firewall lease service to isolate internal networks of small enterprises.

As shown in Figure 5-15, branches of three small enterprises share a VPN gateway. The three enterprise networks must be isolated. IP addresses of each enterprise are planned independently, and therefore IP addresses on different private networks may overlap. The IPSec multi-instance function can be configured on the VPN gateway to bind IPSec tunnels of the three enterprises to different VPN instances. This ensures that packets with the same destination IP addresses can be correctly forwarded.

Figure 5-15  Typical IPSec multi-instance network

Efficient VPN

On an enterprise network with many branches, IPSec needs to be configured on headquarters and branch gateways. These IPSec configurations are complex and difficult to maintain. IPSec Efficient VPN can solve these problems with its high security, reliability, and flexibility. It has become the first choice for enterprises to establish VPNs.

Efficient VPN uses the client/server model. It concentrates IPSec and other configurations on the Efficient VPN server (headquarters gateway). When basic parameters for establishing SAs are configured on the remote devices (branch gateways), the remote devices initiate a negotiation and establish an IPSec tunnel with the server. After IPSec tunnels are established, the Efficient VPN server allocates other IPSec attributes and network resources to the remote devices. Efficient VPN simplifies configurations and maintenance of IPSec and network resources for branches. In addition, Efficient VPN supports automatic upgrades on remote devices.

Operation Modes
  • Client mode

    1. When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface.
    2. The remote device automatically enables NAT to translate its original IP address into the obtained IP address, and then uses this IP address to establish an IPSec tunnel with the headquarters.

    The client mode applies to scenarios where traveling staff or small-scale branches connect to the headquarters network through private networks, as shown in Figure 5-16.

    Figure 5-16  Client mode

    NOTE:

    Traveling staff use software to establish a virtual network adapter on a PC. The virtual network adapter then uses parameters such as addresses sent by the Efficient VPN server.

  • Network mode

    In network mode, a remote device does not apply to the Efficient VPN server for an IP address. Therefore, NAT is not automatically enabled in network mode. Figure 5-17 shows the network mode.

    Figure 5-17  Network mode

    The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.

  • Network-plus mode

    Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, STelnet, or other management and maintenance operations on the remote device. NAT is not automatically enabled on the remote device.

  • Network-auto-cfg mode

    Compared with the network-plus mode, the remote device applies to the Efficient VPN server for an IP address pool in network-auto-cfg mode. The IP address pool is used for allocating addresses to users.

The Efficient VPN server also delivers the following resources in addition to parameters for establishing an IPSec tunnel:
  • Network resources including DNS domain names, DNS server IP addresses, and WINS server IP addresses

    The Efficient VPN server delivers the preceding resources so that branches can access them.

  • ACL resources

    The Efficient VPN server delivers headquarters network information defined in an ACL to remote devices. The ACL defines the headquarters subnets that branches can access. Branch traffic not destined for the subnets specified in the ACL is directly forwarded to the Internet. Such traffic does not pass through the IPSec tunnel.

    NOTE:

    In the Network-auto-cfg mode, delivering of parameters defined in the ACL is not supported.

Automatic Upgrade of Efficient VPN Remote Devices

The server defines the uniform resource locator (URL) used to upgrade remote devices. A remote device automatically downloads the version file, patch file, and configuration file according to the URL configuration file to complete an upgrade. Automatic upgrade facilitates network deployment and maintenance. Figure 5-18 shows the procedure for automatically upgrading the remote device.

Figure 5-18  Automatic upgrade of remote devices

  1. A remote device with basic IPSec Efficient VPN configuration connects to the headquarters.
  2. The remote device applies to the server for the address and version number of the URL configuration file.
  3. The remote device obtains the address and version number of the URL configuration file and downloads the URL configuration file from the specified server.
  4. The remote device downloads the corresponding version file, patch file, and configuration file according to the URL configuration file.
  5. The remote device performs the upgrade according to the version file, patch file, and configuration file.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142553

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next