No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring an IPSec Profile

(Optional) Configuring an IPSec Profile


Data transmitted between the central office and a branch, and between branches can be encrypted to increase data security. Binding an IPSec profile to DSVPN can dynamically establish an mGRE over IPSec tunnel.

Before configuring an IPSec profile for DSVPN, you need to perform the following operations:

After completing the preceding configuration, perform the following operations on the Hub and Spokes.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec profile profile-name

    An IPSec profile is created and the IPSec profile view is displayed.

  3. Run ike-peer peer-name

    An IKE peer is bound to the IPSec profile.

  4. Run proposal proposal-name

    An IPSec proposal is bound to the IPSec profile.

  5. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

    The perfect forward secrecy (PFS) feature is used in IPSec negotiation.

    By default, PFS is not used in IPSec negotiation.

    If PFS is specified on the local end, you also need to specify PFS on the remote peer. The Diffie-Hellman groups specified on the two ends must be the same. Otherwise, the negotiation fails.

  6. Run quit

    Return to the system view.

  7. Run interface tunnel interface-number

    The tunnel interface view is displayed.

  8. Run tunnel-protocol gre p2mp

    The tunnel encapsulation mode is configured.

  9. Run ipsec profile profile-name

    The tunnel interface is bound to an IPSec profile.

    • When an IPsec profile is applied to different tunnel interfaces on an AR router running V200R010C00SPC600, the source IP addresses of the tunnel interfaces must be the same, and the destination IP addresses of the interfaces must be different.

    • When an IPsec profile is applied to tunnel interfaces with the same source IP address and different destination IP addresses on a hub in a DSVPN application scenario, you need to run the ike user-table command on the hub to specify tunnel interfaces for spoke nodes of different roles. To configure the interfaces associated with IKE users, run the interface-assign command.

    • When tunnel interfaces with the same source IP address and different destination IP addresses are configured in a DSVPN application scenario, the same IPsec profile must be applied to the tunnel interfaces.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 154297

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next