No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for IPSec

Licensing Requirements and Limitations for IPSec

Involved Network Elements

None

Licensing Requirements

When using the Efficient VPN policy to establish an IPSec tunnel, note the following points:
  • If a branch server needs to provide services for external users through NAT, the nat static command must be used on the remote device.
  • When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device. Other services cannot be configured on the loopback interface.

For Efficient VPN-capable devices, their licensing requirements for the Efficient VPN function are as follows:

  • AR100&AR120 series: Efficient VPN is a basic feature of the device and is not under license control.
  • AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 series: By default, the Efficient VPN function is disabled on a new device. To use the Efficient VPN function, apply for and purchase the following licenses from the Huawei local office.
    • AR150&AR160&AR200 series: AR150&160&200 Value-Added Security Package

    • AR1200 series: AR1200 Value-Added Security Package

    • AR2200 series: AR2200 Value-Added Security Package

    • AR3200 series: AR3200 Value-Added Security Package

    • AR3600 series: AR3600 Value-Added Security Package

Impact on Performance

  • The DH group value has impacts on IKE negotiation performance (such as the tunnel creation rate). A higher DH group value has greater impacts on IKE negotiation performance (for example, the tunnel creation rate greatly decreases).
  • When the number of IPSec tunnels is greater than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec policy or undo ipsec profile command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

Restrictions on the Use of IPSec

  • The security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode on both tunnel endpoints must be the same when you configure a security proposal. Otherwise, tunnel negotiation will fail. If the PFS algorithm is configured, ensure that the two ends use the same PFS algorithm. Otherwise, tunnel negotiation will fail.
  • In L2TP over IPSec scenarios, the function that the responder accepts the security proposal of the initiator is usually used together with L2TP. Separate use of this function will reduce network security, and is therefore not preferred.
  • To reference an ACL in an IPSec policy, ensure that rules must be configured in this ACL view and the number of rules configured in this ACL view does not exceed 256. Otherwise, this ACL cannot be referenced in this IPSec policy.
  • When configuring data flows to be encrypted by IPSec, configure refined ACL rules based on services to prevent unnecessary data flows from entering the encryption tunnel due to loose ACL rules, causing service interruption.
  • Setting the MTU to a value less than 256 bytes is not recommended for the interface to which an IPSec policy group applies. As IP packets become longer after IPSec processing, a small MTU makes the interface divide a large IP packet into multiple fragments. The peer device may not properly receive or process such fragmented packets.
  • When a NAT device is deployed between IPSec peers, NAT traversal must be enabled and the security protocol must be ESP.

  • In AH encapsulation mode, the DF flag bit of the inner packet is inherited to the outer packet, and the Router combines it with the DF flag bit of the outer layer to calculate the checksum of the packet. If the peer end of the tunnel removes the DF flag bit from the outer packet and then calculates the checksum, the checksums on both ends of the tunnel are inconsistent. As a result, the interconnection fails. To prevent this, run the ipsec df-bit clear command to ensure that the checksums on both ends of the tunnel are consistent.

  • When the IPSec protocol on both the AR and its connected other device uses the SHA-2 algorithm, an IPSec tunnel can be established but traffic cannot be transmitted if the SHA-2 encryption and decryption modes on the two devices are different. If so, you are advised to run the ipsec authentication sha2 compatible enable command on the AR to set the SHA-2 encryption and decryption modes to be the same as those on the other device.
  • It is not recommended that IPSec be deployed on both physical interfaces and tunnel interfaces. If IPSec is deployed on both physical interfaces and tunnel interfaces, the device functioning as the negotiation responder first attempts to perform tunnel negotiation through IPSec of a tunnel interface. If the device does not match IPSec access requirements of the tunnel interface, the device attempts to perform tunnel negotiation through IPSec of a physical interface.
  • In transport mode, the flow information after IPSec negotiation must be consistent with the IPSec tunnel address, which is a 32-bit host address.

Restrictions on the Use with NAT

If NAT is configured on an interface where an IPSec policy group applies, the IPSec configuration may not take effect because the device performs NAT first.
  • If the interface implements IPSec but not NAT, the action in the ACL rule referenced by NAT needs to be set to deny, and the destination IP address in the rule needs to be set to that in the ACL rule referenced by the IPSec policy.
  • If the interface implements NAT but not IPSec, the destination IP address in the ACL rule referenced by the IPSec policy cannot be a NATed IP address.
  • If the interface implements both NAT and IPSec, the destination IP address in the ACL rule referenced by the IPSec policy must be a NATed IP address.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143366

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next