No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Requesting, Sending or Accepting of Subnet Route Information

(Optional) Configuring Requesting, Sending or Accepting of Subnet Route Information

Context

As shown in Figure 5-33, a headquarters sets up an IPSec tunnel with its branch using a tunnel interface. If requesting, sending or accepting of subnet route information is not configured, data flows to be protected through IPSec need to be imported to the tunnel interface based on the static or dynamic routes.

In the IPSec configuration,

  • When the remote network topology changes, you must modify routes on the local device to ensure IPSec protection for nonstop data transmission.
  • When a new branch is added to the network and wants to establish an IPSec tunnel with the headquarters, you must configure routes to the branch on the headquarters gateway.
Figure 5-33  Requesting, sending or accepting of subnet route information not configured

As shown in Figure 5-34, you only need to configure the subnet address to be protected through IPSec on the local device. The local device then sends subnet route information to the remote device that generates routes based on the information.

In the IPSec configuration,

  • When the remote network topology changes, you do not need to modify routes on the local device.
  • When a new branch is added to the network and wants to establish an IPSec tunnel with the headquarters, you do not need to add routes to the branch on the headquarters gateway.
Figure 5-34  Requesting, sending or accepting of subnet route information configured

NOTE:

This function is supported by IKEv2 only.

Procedure

  • Configuring requesting of subnet route information

    After a local device is enabled to request subnet route information, the remote device will send subnet route information directly without enabling send subnet route information.

    NOTE:

    Requesting of subnet route information takes effect on the IKE negotiation initiator only.

    The local device requests subnet route information, generates a route based on the received subnet route information.
    1. Run system-view

      The system view is displayed.

    2. Run ike peer peer-name

      An IKE peer is created and the IKE peer view is displayed.

    3. Run undo version 1

      The IKE protocol version used by IKE peers is configured.

      By default, IKE peers support IKEv1 and IKEv2.

      If IKEv1 and IKEv2 are enabled, IKEv2 is used in the negotiation initiation, and IKEv1 and IKEv2 are used in negotiation response.

    4. (Optional) Run config-exchange request

      The device is enabled to request subnet route information from a peer.

      By default, the device does not request subnet route information from a peer.

    5. Run route accept [ preference preference-number ] [ tag tag-value ]

      The device is enabled to generate a route based on the received subnet route information and define the priority and tag value for the route.

      By default, the device does not generate routes based on the received subnet route information.

    The remote device configures subnet route information to be sent, sends subnet route information directly after receiving the request.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run service-scheme service-scheme-name

      A service scheme is created and the service scheme view is displayed.

    4. Run route set acl acl-number

      Local subnet information to be sent to the peer is configured.

      By default, no local subnet information to be sent to the peer is configured.

      acl-number specifies an advanced ACL that has been created.

    5. Run route set interface

      An IP address which is to be sent to the peer is configured for the interface.

      By default, no IP address which is to be sent to the peer is configured for the interface.

  • Configuring sending and accepting of subnet route information

    After a local device is enabled to send subnet route information and a remote device is enabled to accept subnet route information, sending of subnet route information is enabled in one direction. To enable bidirectional sending of subnet route information, the headquarters and branch devices must be enabled to send and accept subnet route information at the same time.

    The local device sends subnet route information.
    1. Configure subnet route information to be sent.

      1. Run system-view

        The system view is displayed.

      2. Run aaa

        The AAA view is displayed.

      3. Run service-scheme service-scheme-name

        A service scheme is created and the service scheme view is displayed.

      4. Run route set acl acl-number

        Local subnet information to be sent to the peer is configured.

        By default, no local subnet information to be sent to the peer is configured.

        acl-number specifies an advanced ACL that has been created.

      5. Run route set interface

        An IP address which is to be sent to the peer is configured for the interface.

        By default, no IP address which is to be sent to the peer is configured for the interface.

    2. Configure sending of subnet route information.

      1. Run quit

        Return to the AAA view.

      2. Run quit

        Return to the system view.

      3. Run ike peer peer-name

        An IKE peer is created and the IKE peer view is displayed.

      4. Run undo version 1

        The IKE protocol version used by IKE peers is configured.

        By default, IKE peers support IKEv1 and IKEv2.

        If IKEv1 and IKEv2 are enabled, IKEv2 is used in the negotiation initiation, and IKEv1 and IKEv2 are used in negotiation response.

      5. Run service-scheme service-scheme-name

        Binds a service scheme to an IKE peer.

        By default, no service scheme binds to an IKE peer.

      6. Run config-exchange set send

        The device is enabled to send subnet route information to a peer.

        By default, the device does not send subnet route information to a peer.

    The remote device accepts subnet route information.
    1. Run system-view

      The system view is displayed.

    2. Run ike peer peer-name

      An IKE peer is created and the IKE peer view is displayed.

    3. Run undo version 1

      The IKE protocol version used by IKE peers is configured.

      By default, IKE peers support IKEv1 and IKEv2.

      If IKEv1 and IKEv2 are enabled, IKEv2 is used in the negotiation initiation, and IKEv1 and IKEv2 are used in negotiation response.

    4. Run config-exchange set accept

      The device is enabled to accept subnet route information from a peer.

      By default, the device does not accept subnet route information from a peer.

    5. Run route accept [ preference preference-number ] [ tag tag-value ]

      The device is enabled to generate a route based on the received subnet route information and define the priority and tag value for the route.

      By default, the device does not generate routes based on the received subnet route information.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143460

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next