No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Enhancements

IPSec Enhancements

L2TP over IPSec

L2TP over IPSec encapsulates packets using L2TP and then IPSec. It uses L2TP to implement user authentication and address allocation and IPSec to ensure secure communication. L2TP over IPSec ensures that branches or traveling employees connect to the headquarters.

Figure 4-14 illustrates how L2TP over IPSec allows branches to connect to the headquarters.

Figure 4-14  L2TP over IPSec packet encapsulation and tunnel negotiation

Packets are encapsulated by L2TP, and then by IPSec. In the IP header added during IPSec encapsulation, the source IP address is the IP address of the interface to which the IPSec policy is applied, and the destination IP address is the IP address of the peer interface to which the IPSec policy on the remote peer is applied.

IPSec protects the data flows from the source to the destination of the L2TP tunnel. In the new IP header added during L2TP encapsulation, the source IP address is the address of the L2TP source interface, and the destination IP address is the address of the L2TP destination interface. When a branch connects to the headquarters, the source address of the L2TP tunnel is the IP address of the outbound interface on the LAC, and the designation address is the IP address of the inbound interface on the LNS.

A public IP address is added to the header in L2TP encapsulation, and one more public IP address is added in tunnel mode. As a result, the packets are larger and more packets will be fragmented in tunnel mode. Therefore, the transport mode of L2TP over IPSec is recommended.

The L2TP over IPSec negotiation sequence and packet encapsulation process are the same for employees on the move and employees at branch offices. The difference is that, L2TP and IPSec encapsulation is performed on clients when employees on the move connect to the headquarters. The L2TP source address is the private address assigned to the client. The address can be any address in the address pool configured on the LNS. The destination address of the L2TP tunnel is the address of the inbound interface on the LNS.

GRE over IPSec

Integrating the advantages of both GRE and IPSec, GRE over IPSec uses GRE to encapsulate multicast, broadcast, and non-IP packets into common IP packets, and uses IPSec to provide secure communication for encapsulated IP packets. Therefore, broadcast and multicast services such as video conference or messages of dynamic routing protocols, can be securely transmitted between the headquarters and branch.

GRE over IPSec encapsulates packets using GRE, and then IPSec. The encapsulation can be implemented in tunnel mode and transport mode. The tunnel mode uses an extra IPSec header, which increases packet size and makes packets more likely to be fragmented. Therefore, the transport mode is recommended.

Figure 4-15  Packet encapsulation and tunnel negotiation in GRE over IPSec

In the IP header added during IPSec encapsulation, the source IP address is the IP address of the interface to which the IPSec policy is applied, and the destination IP address is the IP address of the peer interface to which the IPSec policy on the remote peer is applied.

IPSec protects the data flows from the GRE source address to the GRE destination address. In the IP header added during GRE encapsulation, the source address is the source address of the GRE tunnel, and the destination address is the destination address of the GRE tunnel.

IPSec Multi-instance

IPSec multi-instance is used to provide the firewall lease service to isolate networks of small enterprises.

As shown in Figure 4-16, branches of three small enterprises share a VPN gateway. The three enterprise networks must be isolated. IP addresses of each enterprise are planned independently, and therefore IP addresses on different private networks may overlap. The IPSec multi-instance function can be configured on the VPN gateway to bind IPSec tunnels of the three enterprises to different VPN instances. This ensures that packets with the same destination IP addresses can be correctly forwarded.

Figure 4-16  Typical IPSec multi-instance network

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31543

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next