No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Remote Device

Configuring the Remote Device

Context

Only mandatory parameters, such as the Efficient VPN server IP address and pre-shared key, need to be configured on a remote device. Other parameters, such as authentication and encryption algorithms used in IKE negotiation, and the IPSec proposal, are preconfigured on the Efficient VPN server. Configuring parameters on the remote device includes configuring basic and optional parameters:

  1. Basic parameters: Efficient VPN operation mode, IP address of the remote device connected to the Efficient VPN server, and authentication key.
  2. Optional parameters can be set on the remote device and Efficient VPN server. If optional parameters are configured at one end, the two ends use these parameters. If optional parameters are configured at two ends, the two ends must use the same parameters to implement successful IKE negotiation.
The Efficient VPN server also delivers the following resources in addition to parameters for establishing an IPSec tunnel:
  • Network resources including DNS domain names, DNS server IP addresses, and WINS server IP addresses

    The Efficient VPN server delivers the preceding resources so that branches can access them.

  • ACL resources

    The Efficient VPN server delivers headquarters network information defined in an ACL to remote devices. The ACL defines the headquarters subnets that branches can access. Branch traffic not destined for the subnets specified in the ACL is directly forwarded to the Internet. Such traffic does not pass through the IPSec tunnel.

    NOTE:

    In the Network-auto-cfg mode, delivering of parameters defined in the ACL is not supported.

Procedure

  1. Set basic parameters and optional parameters on the remote device.
    1. Run system-view

      The system view is displayed.

    2. Create an Efficient VPN policy and determine whether to reference an ACL based on the Efficient VPN mode.

      • Create an IPSec Efficient VPN policy in client mode.

        Run ipsec efficient-vpn efficient-vpn-name [ mode client ]

        An IPSec Efficient VPN policy in client mode is created and the IPSec Efficient VPN policy view is displayed.

        By default, no IPSec Efficient VPN policy is created in the system.

        The remote device in client mode applies to the headquarters for an IP address to establish an IPSec tunnel with the Efficient VPN server. The source address in packets sent from the branch to the headquarters is the requested IP address, so ACLs are not required.

      • Create an IPSec Efficient VPN policy in network-auto-cfg mode.

        Run ipsec efficient-vpn efficient-vpn-name [ mode network-auto-cfg ]

        An IPSec Efficient VPN policy in network-auto-cfg mode is created and the IPSec Efficient VPN policy view is displayed.

        By default, no IPSec Efficient VPN policy is created in the system.

        The network-auto-cfg mode is supported in IKEv1 only.

      • Create an IPSec Efficient VPN policy in network or network-plus mode and reference an ACL.

        1. Run ipsec efficient-vpn efficient-vpn-name [ mode { network | network-plus } ]

          An IPSec Efficient VPN policy in network or network-plus mode is created and the IPSec Efficient VPN policy view is displayed.

          By default, no IPSec Efficient VPN policy is created in the system.

        2. Run security acl acl-number

          An ACL is referenced in the IPSec Efficient VPN policy.

          By default, no ACL is referenced.

        acl-number is an advanced ACL that has been created.

        If an ACL is referenced, the rule can only match IP packets, that is, rule permit ip.

    3. Run remote-address { ip-address | host-name host-name } { v1 | v2 }

      A peer address or a domain name in IKE negotiation is configured.

      By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.

      You can configure a maximum of two IP addresses or two domain names in the same view.

      To improve network reliability, two devices can be deployed at the headquarters to connect to the branch gateway. In an IPSec policy, two IP addresses or domain names of the remote IKE peer can be configured on the branch gateway. The branch gateway first attempts to use the first configured IP address or domain name to establish an IKE connection with the headquarters gateway. If establishing an IKE connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection.

    4. Configure an authentication key according to the authentication mode in the IKE proposal.

      NOTE:

      The system uses the pre-shared key authentication by default. The remote device and Efficient VPN server select the authentication mode using the authentication-method command.

      • If pre-shared key authentication is used, configure a pre-shared key.

        Run pre-shared-key { simple | cipher } key

        A pre-shared key is configured.

        By default, no pre-shared key is configured on IKE peers.

        The pre-shared key at the two ends must be the same.

        If simple is used, passwords are saved in the configuration file in plain text, resulting in security risks. Therefore, cipher is recommended to save passwords in cipher text.

      • When RSA signature authentication is used, obtain a digital signature.

        1. Run pki realm realm-name

          A PKI domain that the digital signature in the Efficient VPN policy belongs to is specified. The system obtains the local CA certificate and device certificate according to the PKI configuration.

          By default, no PKI domain is bound to an IKE peer or an Efficient VPN policy.

          realm-name specifies a PKI domain that has been created using the pki realm command.

        2. (Optional) Run inband ocsp

          The device is configured to validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.

          By default, the device does not validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.

        3. (Optional) Run inband crl

          The device is configured to validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.

          By default, the device does not validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.

    5. Run dh { group1 | group2 | group5 | group14 | group19 | group20 | group21 }

      A Diffie-Hellman group used for IKE negotiation is configured.

      By default, group14 is used for IKE negotiation.

      You are advised not to use group1, group2, or group5; otherwise, security defense requirements may be not met.

    6. (Optional) Set optional parameters.

      • Run authentication-method { pre-share | rsa-signature }

        An authentication method is specified for an IKE proposal.

        By default, pre-shared key authentication is used.

      • Run local-id-type { dn | ip | key-id | fqdn | user-fqdn }

        The local ID type used in IKE negotiation is set.

        By default, the IP address of the local end is used as the local ID.

        When the device functions as the remote end to communicate with a Cisco device in the Efficient VPN policy, you need to specify the key-id parameter in the command. Meanwhile, you also need to run the service-scheme command to specify the service scheme that the Cisco device uses.

      • Run service-scheme service-scheme-name

        A server-end service scheme is configured in an Efficient VPN policy.

        By default, no server-end service scheme is configured in an Efficient VPN policy.

        If an AAA service scheme is configured in the Efficient VPN policy, you need to specify the AAA service scheme configured on the server before the server can authorize the remote device. Meanwhile, you also need to specify the key-id parameter in the local-id-type command. If the key-id parameter is not specified, the configuration does not take effect. If authorization is performed using the service scheme used on the server, this step is not required.

        If the aaa authorization command is configured on the server to enable AAA RADIUS server authorization, run the service-scheme command to specify the AAA domain configured on the server.

      • Run sim-based-username type { imei | imsi } password password

        The type of the user name used by the remote device to be authenticated by the RADIUS server is configured.

        By default, the type of the user name used by the remote device to be authenticated by the RADIUS server is not configured.

        The configuration of this step takes effect in the network-auto-cfg mode only.

      • Run dpd msg { seq-hash-notify | seq-notify-hash }

        The sequence of the payload in DPD packets is set.

        By default, the sequence of the payload in DPD packets is notify-hash.

        The two ends must use the same sequence of the payload in DPD packets; otherwise, DPD is invalid.

      • Run tunnel local { ip-address | applied-interface }

        A local IP address is configured.

        By default, the local IP address is not configured.

        For the IKE negotiation mode, you do not need to configure an IP address for the local end of an IPSec tunnel. During SA negotiation, the device will select a proper address based on route information. The local address needs to be configured in the following situations:
        • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local ipv4-address command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the IP address of the interface to which an IPSec policy is applied as the local address of an IPSec tunnel.
        • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local ipv4-address command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the primary IP address of the interface as the local address of an IPSec tunnel.
        • If equal-cost routes exist between the local and remote ends, run the tunnel local command to specify a local IP address for an IPSec tunnel.
      • Run remote-id id

        The remote ID for IKE negotiation is configured.

        By default, the remote ID for IKE negotiation is not configured.

      • Run sa binding vpn-instance vpn-instance-name

        A VPN instance is bound to an IPSec tunnel.

        This command specifies the VPN that the remote end of the IPSec tunnel belongs to. The tunnel initiator then can obtain the outbound interface and send packets through the outbound interface.

      • Run qos group qos-group-value

        The QoS group to which the IPSec packets belong is set.

        By default, no QoS group to which the IPSec packets belong is set.

      • Run qos pre-classify

        Pre-extraction of original IP packets is enabled.

        By default, pre-extraction of original IP packets is disabled.

      • Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

        The device is configured to use Perfect Forward Secrecy (PFS) in IPSec negotiation.

        By default, PFS is not used in IPSec negotiation.

      • Run anti-replay window window-size

        The IPSec anti-replay window size is set.

        By default, the IPSec anti-replay window size is 1024 bits.

    7. Apply the Efficient VPN policy to an interface.

      1. Run quit

        Return to the system view.

      2. Run interface interface-type interface-number

        The interface view is displayed.

      3. Run ipsec efficient-vpn efficient-vpn-name

        The Efficient VPN policy is applied to the interface.

      You can bind only one Efficient VPN policy to the remote device in a scenario except that the remote device has multiple egress links.

  2. (Optional) Set optional parameters in the system view on the remote device.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153253

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next