No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for A2A VPN

Licensing Requirements and Limitations for A2A VPN

Involved Network Elements

  • Key server
  • Group member

Licensing Requirements

For A2A VPN-capable devices, GM function is not under license control, license their licensing requirements for the KeySever function are as follows:
  • AR2200&AR3200&AR3600 series: By default, KeySever function is disabled on a new device. To use the KeySever function, apply for and purchase the following license from the Huawei local office.
    • AR2200 series: AR2200 Value-Added Security Package

    • AR3200 series: AR3200 Value-Added Security Package

    • AR3600 series: AR3600 Value-Added Security Package

Feature Limitations

  • When the device connects to a Cisco device that is used as the KS, you are advised to use the Cisco device version of 2013 or later, for example, Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2). If the Cisco device of a version earlier than 2013 is used, the multicast rekey may fail.
  • When the TEK SA lifetime is reached, the GM sends a re-registration request to the KS. When the KEK SA lifetime is reached, the GM does not send a re-registration request to the KS.

  • A2A VPN does not support NAT traversal.
  • The GM can register with four KSs. The KSs work in primary/secondary mode according to the configuration sequence. The GM first attempts to register with the first KS. If the registration fails, the GM tries the second KS. This process continues in the preceding manner.

  • Currently, the KS does not support RSA signature authentication. If the GM uses RSA signature authentication, use the KS of another vendor.
  • When the DH algorithm is group2, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 75. Otherwise, the CPU usage of the KS becomes high. When the DH algorithm is group14, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 20. Otherwise, the CPU usage of the KS becomes high.

  • Only AR2240(SRU200, SRU400, SRU100E, SRU200E), AR3260(SRU200, SRU400, SRU100E, SRU200E), and AR3670 function as the KS.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142574

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next