NetEngine AR600, AR6100, AR6200, and AR6300 V300R019 CLI-based Configuration Guide - VPN
Using an ACL to Establish an IPSec Tunnel
Pre-configuration Tasks
On an IPSec tunnel established in manual or IKE negotiation mode, an ACL defines data flows to be protected. The packets that match the permit clauses in the ACL are protected, and the packets that match the deny clauses are not protected. The ACL can define packet attributes such as the IP address, port number, and protocol type, which help you flexibly define IPSec policies.
Before establishing an IPSec tunnel using an ACL, complete the following tasks:
- Configure a reachable route between source and destination interfaces.
- (Optional) If L2TP over IPSec needs to be configured, perform the following configurations:
- Configure LAC on the branch gateway. If a client on the branch network dials to connect to the headquarters network through the LAC, configure NAS-initiated VPN LAC. If the LAC connects to the headquarters network through automatic dial-up, configure LAC auto-dial.
- Configure LNS on the headquarters gateway.
(Optional) If ACL-based GRE over IPSec needs to be configured, perform the following configurations:
- Create a tunnel interface and set the type of the interface to GRE.
- Configure source and destination IP addresses, and interface IP addresses. The source IP address is the IP address of the outbound interface on the gateway, and the destination IP address is the IP address of the outbound interface on the remote gateway.
- Add tunnel interfaces to a zone.
Enabling the IPsec function on the AC deteriorates the forwarding performance of the device. Therefore, do not enable the IPSec function unless necessary.
- Defining Data Flows to Be Protected
- Configuring an IPSec Proposal
- Configuring an IPSec Policy
- (Optional) Setting the IPSec SA Lifetime
- (Optional) Enabling the Anti-replay Function
- (Optional) Configuring IPSec Fragmentation Before Encryption
- (Optional) Configuring Route Injection
- (Optional) Configuring IPSec Check
- (Optional) Enabling the QoS Function for IPSec Packets
- (Optional) Configuring IPSec VPN Multi-instance
- (Optional) Allowing New Users with the Same Traffic Rule as Original Branch Users to Access the Headquarters Network
- (Optional) Configuring the Device to Keep IPSec Tunnel Indexes Unchanged Based on the Peer IP Address During IPSec Tunnel Re-establishment
- (Optional) Configuring a Multi-link Shared IPSec Policy Group
- (Optional) Configuring Redundancy Control of IPSec Tunnels
- (Optional) Configuring IPSec Gateway Redundancy Control
- (Optional) Configuring IPSec Mask Filtering
- Applying an IPSec Policy Group to an Interface
- Verifying the Configuration of IPSec Tunnel Establishment
Document ID:EDOC1100112360
Views:795230
Downloads:1178
Average rating:5.0Points