No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying an IPSec Policy Group to an Interface

Applying an IPSec Policy Group to an Interface

Context

To use IPSec to protect data flows on an interface, apply an IPSec policy group to the interface. After an IPSec policy group is unbound from an interface, the interface does not provide IPSec protection.

An IPSec policy group is a set of IPSec policies with the same name but different sequence numbers. An IPSec policy group can contain multiple IPSec policies established manually or in IKE negotiation mode but only one IPSec policy template, as shown in Figure 5-31. One IPSec policy corresponds to one advanced ACL. In an IPSec policy group, an IPSec policy with a smaller sequence number has a higher priority.

Figure 5-31  IPSec policy group

After an IPSec policy group is applied to an interface, all IPSec policies in the group are applied to the interface and protect different data flows.

When sending a packet, an interface matches the packet with IPSec policies in an IPSec policy group in ascending order of sequence number. If the packet matches the ACL referenced by an IPSec policy, the packet is processed based on the IPSec policy. If no matching ACL is found after all IPSec policies are checked, the interface sends the packet directly without IPSec protection.

When applying an IPSec policy group to an interface, note the following points:
  • The interface where IPSec policies are applied must be the interface where an IPSec tunnel is established, and the interface must be the outbound interface in the private route to the remote end. If an IPSec policy is applied to another interface but not the target interface, VPN service forwarding may fail.

  • Only one IPSec policy group can be applied to an interface, and an IPSec policy group can be applied to only one interface.

  • After an IPSec policy group is applied to an interface, referenced ACLs and IKE peers in IPSec policies of the IPSec policy group cannot be modified.

NOTE:
  • When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.

  • When multiple branches are connected to the headquarters, if some tunnel interfaces at the headquarters borrow an IP address from a physical interface, borrow an IP address from a physical interface as their source address, or borrow a virtual IP address from a physical interface as their tunnel local address, the mappings between IKE peers and tunnel interfaces may be incorrect. As a result, an IPSec tunnel fails to be established.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run the following commands as required.
    • Run interface interface-type interface-number

      The interface view is displayed.

    • Run interface interface-type interface-number.subinterface-number

      The sub-interface view is displayed.

    • Run interface tunnel interface-number

      The virtual tunnel interface view is displayed.

  3. Run ipsec policy policy-name

    An IPSec policy group is applied to the interface.

    After an IPSec policy established in manual mode is applied to an interface, an SA is generated immediately.

    After an IPSec policy established in IKE negotiation mode is applied to an interface, an IPSec tunnel can be triggered in auto or traffic mode using the sa trigger-mode { auto | traffic-based } command.

    After an SA is created successfully, data flows are transmitted securely over the IPSec tunnel.

    When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec policy command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

Precautions

If you modify the tunnel-protocol parameter of a tunnel interface, the IPSec policy group applied to the tunnel interface will be deleted. After the modification, apply the IPSec policy group to the tunnel interface as required.

In an IPSec policy group, if multiple policies are bound to different IKE peers, the remote addresses specified in the IKE peers cannot be the same. Otherwise, IKE negotiation of some IPSec policies fails.

Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153643

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next