No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for IPSec--S2F

Licensing Requirements and Limitations for IPSec--S2F

Licensing Requirements

This feature is a basic feature and is not under license control.

Restrictions and Guidelines

Restrictions

Guidelines

Impact

ACL rules used for IPsec negotiation, filtering, or mirroring do not support discontinuous masks (where 0s or 1s are discontinuous, such as 255.0.255.0).

None

IPsec negotiation, filtering, or mirroring does not take effect if discontinuous masks are used in ACL rules.

When configuring static routes to direct IPsec traffic into IPsec tunnels, you need to specify an IPsec tunnel interface as the outbound interface of the static routes and configure the remote address as the next hop address.

None

User traffic cannot be forwarded.

After an IPsec tunnel interface borrows the IP address from another interface, the interface that lends its IP address cannot carry other services because it cannot receive or send multicast or broadcast packets.

Properly plan the network and do not configure other services on the interface that lends its IP address.

Services on the interface that lends its IP address are affected.

Before pinging the protection tunnel on the IPsec gateway, specify the source IP address (to be specific, specify a). Pinging the protection tunnel by specifying the peer tunnel interface as the next hop IP address (to be specific, specify nexthop) is not supported.

Do not ping the protection tunnel by specifying the peer tunnel interface as the next hop IP address (to be specific, specify nexthop).

After the next hop is specified, packets are forwarded based on the next hop and fail to enter the IPsec tunnel.

The port number in an ACL referenced by IPsec must be configured as eq.

Configure ACL rule referenced by IPSec properly.

Negotiation fails.

IPsec does not support traffic forwarding through GigabitEthernet 0/0/0 or a global-VE interface. The VSUF80/160 does not support traffic forwarding through a BDIF interface.

Properly plan the network.

User traffic cannot be forwarded on the specified interfaces.

IKE IPsec supports only the tunnel mode, and manual IPsec supports only the transfer mode.

Select the correct tunnel mode.

Traffic is interrupted.

Only IKEv1 supports the algorithms approved by the State Password Administration Committee Office(SM2, SM3, and SM4).

Set parameters correctly.

IKE negotiation fails.

IKEv1 main mode does not support NAT traversal.

Avoid NAT traversal in IKEv1 main mode.

IKE negotiation fails.

The ACL and IKE peer are required in an IPsec policy. The VPN configured in an ACL rule must be the same as the VPN that is bound to the IKE peer.

Ensure that the VPN that is bound to the IKE peer is the same as the VPN configured in the ACL rule.

IPsec traffic forwarding fails when the configurations are not the same.

IPsec tunnel routes and the routes to the remote end through IPsec tunnels do not support load balancing.

Configure only one route for directing traffic to the local tunnel.

IPsec traffic forwarding is affected.

In an IPsec over L2TP scenario, the device supports L2TPv2 rather than L2TPv3 and can function as the LNS rather than the LAC. In addition, the device does not support dual-system hot backup.

None

User traffic cannot be forwarded.

L2TP over IPsec is not supported.

None

User traffic cannot be forwarded.

GRE over IPsec does not support dual-system hot backup or the path MTU.

None

User traffic cannot be forwarded.

In mGRE over IPSec scenarios, IPsec traffic filtering and traffic mirroring are implemented based on non-original GRE packets.

None

In mGRE over IPSec scenarios, IPsec traffic filtering and traffic mirroring are implemented based on non-original GRE packets.

In IPsec traversal NAT scenarios, IPsec and NAT must be deployed on different devices.

None

User traffic cannot be forwarded.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21995

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next