No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring a Multi-link Shared IPSec Policy Group

(Optional) Configuring a Multi-link Shared IPSec Policy Group


To improve network reliability, the enterprise gateway often connects to the Internet Service Provider (ISP) through two egress links, which work in backup or load balancing mode. When two outbound interfaces are configured with IPSec policies with the same parameter settings, services need to be smoothly switched between the two links corresponding to the two outbound interfaces. The two outbound interfaces negotiate with their peers to establish IPSec SAs respectively. When an active/standby switchover occurs, the two peers need to perform IKE negotiate again to generate IPSec SAs. The IKE re-negotiation causes IPSec service interruption in a short time.

You can configure a multi-link shared IPSec policy group and use a loopback interface on the local device to establish an IPSec tunnel with the remote device. When an active/standby switchover occurs, IPSec services are not interrupted. The two IPSec-enabled physical interfaces share the same IPSec SA. When services are switched between links corresponding to the physical interfaces, the IPSec SA is not deleted as long as the loopback interface status remains unchanged. In addition, IKE re-negotiation is not required because the same IPSec SA is used to protect IPSec services.

As shown in Figure 5-30, packets of branch gateway RouterA reach headquarters gateway RouterB through two egress links. If an egress link is faulty, IPSec communication between RouterA and RouterB is not affected. The multi-link shared mode improves network reliability.

Figure 5-30  Using an IPSec tunnel in multi-link shared mode


One loopback interface maps to only one multi-link shared IPSec policy group.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy policy-name shared local-interface loopback interface-number

    An IPSec policy is configured as a multi-link shared security policy.

    By default, no IPSec policy is configured as a multi-link shared security policy.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142803

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next