No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Efficient VPN Server

Configuring the Efficient VPN Server

Context

Parameters on the Efficient VPN server include network resource parameters and IPSec parameters:
  1. Network resource parameters include the IP address, domain name, DNS server address, and WINS server address. The Efficient VPN server can deliver network resource parameters to the remote device over the IPSec tunnel.
  2. An SA must be set up through an IPSec policy template. There are limitations on other IPSec parameters.

Procedure

  1. (Optional) Set network resource parameters on the Efficient VPN server.
    1. (Optional) Configure a global address pool and deliver the IP address used to establish an IPSec tunnel to the remote device.

      NOTE:

      If the Efficient VPN policy on the remote device uses the client, network-plus, or network-auto-cfg mode, the Efficient VPN server must deliver the IP address.

      1. Run system-view

        The system view is displayed.

      2. Run ip pool ip-pool-name

        A global address pool is created.

      3. Run network ip-address [ mask { mask | mask-length } ]

        An allocatable network segment address is specified for the global address pool.

      4. Run gateway-list ip-address &<1-8>

        An egress gateway address is configured for the global address pool.

    2. Configure resources to be delivered in the service scheme view.

      1. Run system-view

        The system view is displayed.

      2. Run aaa

        The AAA view is displayed.

      3. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

      4. (Optional) Run ip-pool pool-name [ move-to new-position ]

        An IP address pool is configured.

        pool-name specifies the global address pool configured in step a.

      5. (Optional) Run auto-update url url-string version version-number

        The URL and version number are configured.

        The remote device can download the version file, patch file, and configuration file through the URL and branch devices can be upgraded automatically.

      6. (Optional) Run dns-name domain-name

        A DNS domain name is configured.

      7. (Optional) Configure DNS server IP addresses and WINS server IP addresses.

        1. Run dns ip-address

          The IP address of the primary DNS server is configured.

        2. (Optional) Run dns ip-address secondary

          The IP address of the secondary DNS server is configured.

        3. Run wins ip-address

          The IP address of the primary WINS server is configured.

        4. (Optional) Run wins ip-address secondary

          The IP address of the secondary WINS server is configured.

  2. Set IPSec parameters on the Efficient VPN server.
    1. Run system-view

      The system view is displayed.

    2. Configure an IPSec proposal.

      NOTE:
      • encapsulation-mode must be set to tunnel to establish an IPSec tunnel using an Efficient VPN policy.
      • When IKEv1 is used, IPSec supports non-authentication and non-encryption. When IKEv2 is used, IPSec does not support non-authentication or non-encryption.

      • The Efficient VPN policy supports only ESP.

      For details on how to configure an IPSec proposal, see Configuring an IPSec Proposal.

    3. Configure an IKE proposal.

      For details on how to configure an IKE proposal, see Configuring an IKE Proposal.

    4. Configure an IKE peer.

      NOTE:
      • When IKEv1 is used, exchange-mode must be set to aggressive.
      • You can run the resource acl acl-number command in IKEv1 to implement ACL delivery.

        ACL delivering is not supported in the Network-auto-cfg mode.

      • Run the service-scheme command to bind the IKE peer to the AAA service scheme so that network resources including the IP address, domain name, DNS server IP addresses, and WINS server IP addresses can be delivered.
      • In the Efficient VPN policy, run the aaa authorization [ domain domain-name ] command on an IKE peer to enable AAA RADIUS server authorization.

        If the domain parameter is specified, the remote device obtains authorization information using the specified domain. If the domain parameter is not specified, the remote device obtains authorization information using the domain name it sends to the server. The domain name is specified using the service-scheme command in the Efficient VPN policy view.

        If the aaa authorization command is configured on the IKE peer, the service-scheme command configured on the server does not take effect.

      For details on how to configure an IKE peer, see Configuring an IKE Peer.

    5. Configure an IPSec policy using an IPSec policy template.

      For details on how to configure an IPSec policy using an IPSec policy template, see Configuring an IPSec Policy Using an IPSec Policy Template.

    6. (Optional) Configure the following extensions.

    7. Apply an IPSec policy group to an interface.

      For details on how to apply an IPSec policy group to an interface, see Applying an IPSec Policy Group to an Interface.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 145368

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next