No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPSec Profile

Configuring an IPSec Profile


An IPSec profile defines how to protect data flows, including IPSec proposals, IKE negotiation parameters for SA setup, SA lifetime, and PFS status. An IPSec profile is similar to an IPSec Policy. Compared with the IPSec policy, the IPSec profile is identified by its name and can be configured only in IKE negotiation mode.

In an IPSec profile, you do not need to use ACL rules to define data flows. Instead, all the data flows routed to the IPSec tunnel interface are protected. After an IPSec profile is applied to an IPSec tunnel interface, only one IPSec tunnel is created. The IPSec tunnel protects all the data flows routed to the IPSec tunnel interface, simplifying IPSec policy management.

To ensure successful IKE negotiation, parameters in the IPSec profile on the local and remote ends must match.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec profile profile-name

    An IPSec profile is created and the IPSec profile view is displayed.

    By default, no IPSec profile is created.

  3. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec profile.

    By default, no IPSec proposal is referenced in an IPSec profile.

    The IPSec proposal must have been created.

  4. Run ike-peer peer-name

    An IKE peer is referenced in the IPSec profile.

    By default, no IKE peer is referenced in an IPSec profile.

    The IKE peer must have been created.

    • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local do not take effect.

    • When an IPSec profile is used, the destination address of the IPSec tunnel interface configured using the destination command is preferentially used as the remote address for IKE negotiation. When the remote-address and destination commands are configured at the same time, ensure that the configured IP addresses are the same; otherwise, IKE negotiation will fail. To implement IKE peer redundancy, do not configure the destination command on the IPSec tunnel interface. Instead, configure the remote-address command on the IKE peer referenced by the IPSec profile.

    • For the detailed configuration of an IKE peer, see Configuring an IKE Peer.

  5. (Optional) Run match ike-identity identity-name

    The identity filter set is referenced.

    identity-name is an identity filter that has been created.


    For details on how to configure an identity filter set, see (Optional) Configuring an Identity Filter Set.

  6. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

    The device is configured to use perfect forward secrecy (PFS) when the local end initiates negotiation.

    By default, PFS is not used when the local end initiates negotiation.

    When the local end initiates negotiation, there is an additional Diffie-Hellman (DH) exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

    If PFS is specified on the local end, you also need to specify PFS on the remote end. The DH group specified on the two ends must be the same; otherwise, negotiation fails. When an IPSec policy in ISAKMP mode is used on the local end while an IPSec policy configured using an IPSec policy template is used on the remote end, no DH group needs to be configured on the remote end. The DH group on the responder is used for negotiation.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 141992

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next