No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring IPSec VPN Multi-instance

(Optional) Configuring IPSec VPN Multi-instance

Context

When multiple branches connected to the headquarters network across the Internet using IPSec, you can configure IPSec VPN Multi-instance, thereby isolating traffic of different branches.

You can use the following two modes to configure a VPN instance that IPSec tunnel traffic belongs to according to the IKE negotiation mode:
  • Binding a VPN instance in SA mode

  • Binding a VPN instance in IKE user mode

When a VPN instance is bound to traffic in SA mode, the device determines the VPN instance to which site traffic passing through the IPSec tunnel belongs by the user type, isolating traffic from different sites. A VPN instance bound in SA mode has a higher priority than a VPN instance bound in IKE user mode.

NOTE:

The configuration takes effect only on the initiator of an IPSec tunnel. The initiator needs to obtain the outbound interface when sending packets. The packets received by the remote peer contain the VPN attribute, so the remote peer can still receive packets when no VPN is specified for it.

Procedure

  • Binding a VPN instance in SA mode

    1. Run system-view

      The system view is displayed.

    2. Run ike peer peer-name

      An IKE peer is created and the IKE peer view is displayed.

    3. Run sa binding vpn-instance vpn-instance-name

      A VPN instance that IPSec tunnel traffic belongs to is specified.

      By default, a VPN instance that IPSec tunnel traffic belongs to is not configured.

    The VPN instance has been created using the ip vpn-instance command and the route distinguisher (RD) has been configured for the VPN instance using the route-distinguisher command.

    The specified VPN instance must be the same as the VPN instance bound to the ACL rule that is referenced by the Configuring an IPSec Policy.

  • Binding a VPN instance in IKE user mode

    1. Run system-view

      The system view is displayed.

    2. Run ike user-table user-table-id

      An IKE user table is created and its view is displayed, or the view of an existing IKE user table is displayed directly.

    3. Run user user-name

      An IKE user is created and its view is displayed, or the view of an existing IKE user is displayed directly.

    4. Run vpn-instance-traffic { public | name vpn-instance-name }

      A VPN instance corresponding to user traffic of the IKE user table is configured.

      By default, the VPN instance corresponding to user traffic of the IKE user table is not configured.

      The VPN instance has been created using the ip vpn-instance command and the route distinguisher (RD) has been configured for the VPN instance using the route-distinguisher command.

      The specified VPN instance must be the same as the VPN instance bound to the ACL rule that is referenced by the Configuring an IPSec Policy.

    5. Run quit

      Return to the IKE user table view.

    6. Run quit

      Return to the system view.

    7. Run ike peer peer-name

      The IKE peer view is displayed.

    8. Run user-table user-table-id

      An IKE user table is reference in the IKE peer.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143478

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next