No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Reliability

IPSec Reliability

Link Redundancy

To improve network reliability, an enterprise connects a branch network to the headquarters network through two or more links. When a link fails, services are immediately switched to another link. The device provides two redundancy modes: active/standby IPSec links and IPSec multi-link.

Active and Standby IPSec Links

In Figure 4-17, Router_A connects to Router_B through active/standby links. Two tunnel interfaces are created on Router_A and they borrow the IP address of the same physical interface. Different IPSec policies are applied to the two tunnel interfaces to create active and standby IPSec tunnels. Different IPSec policies are applied to the two physical interfaces on Router_B. When the active link fails, traffic is switched to the standby link. A new IPSec tunnel is established on the standby link, and the old IPSec tunnel is deleted.

Figure 4-17  Active and standby IPSec links

IPSec Multi-link

In Figure 4-18, Router_A connects to Router_B through active/standby links. An IPSec tunnel is established between the physical interface of Router_A and tunnel interface of Router_B. Traffic is processed by IPSec on the tunnel interface and sent out by a physical interface according to the routing table. When the active link fails, the route is unreachable and traffic is switched to the standby link. Re-negotiation is not required for the IPSec tunnel, so traffic can be rapidly switched.

Figure 4-18  Using the tunnel interface to implement link redundancy

A tunnel interface can implement multi-link redundancy. This mode is more simple and switches traffic faster than the active/standby links.

In the scenario where an IPSec gateway is connected to different ISP networks or the same ISP network but the active and standby links are connected to different access routers of the same ISP network across LANs or areas, if the active link becomes faulty, the device on the standby link may discard the IPSec packets whose source address belongs to a different ISP network or access router. Therefore, before configuring link redundancy, check whether active/standby link switching is allowed in the actual network environment.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31818

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next