No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S600-E V200R012C00 Configuration Guide - VPN

This document describes the configurations of VPN, including IPSec, MCE.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Enhancements

IPSec Enhancements

IPSec Multi-instance

IPSec multi-instance is used to provide the firewall lease service to isolate networks of small enterprises.

As shown in Figure 2-14, branches of three small enterprises share a VPN gateway. The three enterprise networks must be isolated. IP addresses of each enterprise are planned independently, and therefore IP addresses on different private networks may overlap. The IPSec multi-instance function can be configured on the VPN gateway to bind IPSec tunnels of the three enterprises to different VPN instances. This ensures that packets with the same destination IP addresses can be correctly forwarded.

Figure 2-14  Typical IPSec multi-instance network

Efficient VPN

On an enterprise network with many branches, IPSec must be configured on headquarters and branch gateways. These IPSec configurations are complex and difficult to maintain. IPSec Efficient VPN can solve these problems with its high security, reliability, and flexibility. It has become the first choice for enterprises to establish VPNs.

Efficient VPN uses the client/server model. It concentrates IPSec and other configurations on the Efficient VPN server (headquarters gateway). When basic parameters for establishing an SA are configured on the remote devices (branch gateways), the remote devices initiate a negotiation and establish an IPSec tunnel with the server. After IPSec tunnels are established, the Efficient VPN server allocates other IPSec attributes and network resources to the remote devices. Efficient VPN simplifies configurations and maintenance of IPSec and network resources for the branches.

Operation Modes
  • Client mode

    1. When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface.
    2. The remote device automatically enables NAT to translate its original IP address into the obtained IP address, and then uses this IP address to establish an IPSec tunnel with the headquarters.
    3. The remote device uses the obtained IP address to establish an IPSec tunnel with the headquarters.

    The client mode applies to scenarios where small-scale branches connect to the headquarters network through private networks, as shown in Figure 2-15. In client mode, devices connected to the Efficient VPN server or remote devices can use the same IP address. However, the number of devices allowed depends on the number of IP addresses assigned by the Efficient VPN server.

    Figure 2-15  Client mode

  • Network mode

    In network mode, a remote device does not apply to the Efficient VPN server for an IP address.

    The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.

  • Network-plus mode

    Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, STelnet, or other management and maintenance operations on the remote device.

The Efficient VPN server also delivers the following resources in addition to parameters for establishing an IPSec tunnel:
  • Network resources including the DNS domain name, DNS server IP addresses, and WINS server IP addresses

    The Efficient VPN server delivers the preceding resources so that branches can access them on the Efficient VPN server.

  • ACL resources

    The Efficient VPN server delivers headquarters network information defined in an ACL to the remote device. The ACL defines the headquarters subnets that branches can access. Traffic not destined for the subnets specified in the ACL is directly forwarded to the Internet. Such traffic does not pass through the IPSec tunnel.

Updated: 2018-09-01

Document ID: EDOC1100037956

Views: 2768

Downloads: 7

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next