No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Summary of IPSec Configuration Tasks

Summary of IPSec Configuration Tasks

Two IPSec peers establish inbound and outbound SAs to form a secure IPSec tunnel through which data packets are transmitted securely over the Internet.

Table 5-5 lists IPSec configuration tasks.

Table 5-5  IPSec configuration tasks




Using an ACL to establish an IPSec tunnel

An ACL defines data flows to be protected by an IPSec tunnel. You need to configure an IPSec policy and apply it to an interface to protect data communication. You can use an ACL to establish an IPSec tunnel in manual mode or IKE negotiation mode.

SAs can be established in either of the following modes:
  • Manual mode: All information required by SAs must be manually configured.
  • IKE negotiation mode: IPSec peers use IKE to negotiate keys and dynamically create and maintain SAs.
The manual mode applies to small-sized networks or scenarios where a few IPSec peers exist. The IKE negotiation mode applies to medium- and large-sized networks.

Using an ACL to Establish an IPSec Tunnel

Using tunnel interfaces to establish an IPSec tunnel

An IPSec tunnel is established between tunnel interfaces based on routes. In this mode, routes determine the data flows to be protected.

You need to configure an IPSec profile and apply it to IPSec tunnel interfaces to protect IPSec packets. All the packets routed to the IPSec tunnel interfaces are protected by IPSec.

Using a Virtual Tunnel Interface to Establish an IPSec Tunnel

Using an Efficient VPN policy to establish an IPSec tunnel

Efficient VPN uses the client/server model. It concentrates IPSec and other configurations on the Efficient VPN server (headquarters gateway). When basic parameters for establishing SAs are configured on the remote devices (branch gateways), the remote devices initiate a negotiation and establish an IPSec tunnel with the server. After IPSec tunnels are established, the Efficient VPN server allocates other IPSec attributes and network resources to the remote devices. Efficient VPN simplifies configurations and maintenance of IPSec and network resources for branches.

In addition, Efficient VPN supports automatic upgrades of remote devices.

Establishing an IPSec Tunnel Using an Efficient VPN Policy

In manual mode, an ACL is used to establish an IPSec tunnel. In other modes, SAs are generated through IKE negotiation to establish an IPSec tunnel and an IKE peer needs to be configured and referenced.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143635

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next