NetEngine AR600, AR6100, AR6200, and AR6300 V300R021 CLI-based Configuration Guide - VPN
This document describes VPN features on the device and provides configuration procedures and configuration examples.
This document describes VPN features on the device and provides configuration procedures and configuration examples.
Configuring a Tunnel Interface or a Tunnel Template Interface
Context
A tunnel interface is a Layer 3 logical interface where the encapsulation protocol of GRE, mGRE, or IPSec, the device can provide IPSec service. The IPSec tunnel interface is established based on IKE negotiation. After you configure a tunnel interface and apply an IPSec profile to the tunnel interface, the IPSec tunnel is set up.
The IP address of an IPSec tunnel interface can be manually configured or dynamically requested through IKEv2 negotiation. Dynamically requesting an IP address of the IPSec tunnel interface through IKEv2 negotiation reduces the configuration and maintenance workload of branch devices in scenarios where many branches connect to the headquarters.
A tunnel template interface is similar to a tunnel interface; however, the tunnel template interface can only function as the responder but not the initiator. Generally, a tunnel template interface is created on the headquarters gateway. When a new branch gateway is added to the network, the headquarters gateway will generate a virtual tunnel interface dynamically.
If you apply an IPSec profile to the tunnel template interface, the IKE peer referenced in the IPSec profile can only be IKEv2.
when multiple branches connect to the headquarters, multiple tunnel interfaces in the headquarters borrow the same physical interface IP address. In this scenario, the headquarters can identify the tunnel interface connected to a branch through the peer IP address or peer ID of the IKE peer (only IKEv1 in aggressive mode supports the peer ID mode). If you run the destination command on a tunnel interface of the headquarters to specify the IP address of a branch interface, the headquarters preferentially uses this IP address to identify the access of the branch.
When multiple branches are connected to the headquarters, if some tunnel interfaces at the headquarters borrow an IP address from a physical interface and borrow an IP address from a physical interface as their source address, the mappings between IKE peers and tunnel interfaces may be incorrect. As a result, an IPSec tunnel fails to be established.
Procedure
- Configuring a Tunnel Interface
Run system-view
The system view is displayed.
Run interface tunnel interface-number
The tunnel interface view is displayed.
Run tunnel-protocol { gre [ p2mp ] | ipsec }
The encapsulation mode of a tunnel interface is configured.
![]()
An IPSec profile can be bound to an IPSec tunnel interface only when the tunnel encapsulation mode is set to IPSec, GRE, or Multipoint GRE (mGRE):- IPSec: An IPSec tunnel established on a tunnel interface ensures security of unicast data transmitted on the Internet.
- GRE: The IPSec tunnel interface provides GRE over IPSec and transmits unicast and multicast data. The IPSec tunnel interface first adds a GRE header to packets, and then adds an IPSec header to the packets so that packets are reliably transmitted.
- mGRE (specified by gre and p2mp): The IPSec tunnel interface provides Dynamic Smart Virtual Private Network (DSVPN) functions. See DSVPN Configuration.
Run ip address ip-address { mask | mask-length } [ sub ]
A private IPv4 address is configured.
Run the following commands as required.
Run ip address ip-address { mask | mask-length } [ sub ]
A private IPv4 address is configured for the tunnel interface.
On the IPSec tunnel interface, run ip address ike-negotiated
An IPv4 address is requested for the tunnel interface through IKEv2 negotiation.
Run source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type interface-number [ standby ] }
The source address or source interface is configured.
You can specify the vpn-instance vpn-instance-name parameter only when the encapsulation mode of a tunnel interface is set to IPSec or mGRE.
![]()
It is recommended that the source interface be specified. This is because a dynamic IP address may affect IPSec configuration recovery.
(Optional) Run destination [ vpn-instance vpn-instance-name ] dest-ip-address
The destination address is configured.
When the destination address of an IPSec tunnel interface is not configured, the remote address of the IKE peer referenced by the IPSec profile can be used for initiating negotiation. When the destination address of an IPSec tunnel interface and remote address of an IKE peer are not configured, the local end can only accept the negotiation request initiated by the remote end.
If the encapsulation mode of a tunnel interface is set to GRE, you need to configure destination addresses at both ends.
(Optional) Run tunnel pathmtu enable
The device is enabled to learn the maximum transmission unit (MTU) of packets allowed on an IPSec tunnel.
By default, the device cannot learn the MTU of packets allowed on an IPSec tunnel.
![]()
This command takes effect only when the encapsulation mode of the tunnel interface is IPSec or GRE and the destination command has been configured on the tunnel interface.
Run ipsec profile profile-name [ shared ]
An IPSec profile is applied to the tunnel interface.
By default, no IPSec profile is applied to a tunnel interface.
Only one IPSec profile can be applied to a tunnel interface, and when shared is not specified, an IPSec profile can be applied to a maximum of 4 tunnel interfaces; when shared is specified, an IPSec profile can be applied to a maximum of 64 tunnel interfaces.
Only the tunnel interface of mGRE type supports shared.
If the same outbound interface is specified for multiple tunnel interfaces, the same IPSec profile must be applied to and the shared parameter must be configured for these tunnel interfaces. Otherwise, both ends cannot establish an IPSec tunnel.
When shared is specified, the standby parameter cannot be specified in the source command.
When the number of IPSec tunnels on the device is larger than 50% of the maximum limit, running the undo ipsec profile command may cause a high CPU usage alarm for a short period. After all SAs are cleared, the CPU usage returns to the normal range.
(Optional) Run standby interface interface-type interface-number [ priority ]
A standby tunnel interface is configured and its priority is specified.
By default, no standby tunnel interface is configured.
The headquarters provides two gateways and more than two gateways for the branch gateway to improve network reliability. When an IPSec tunnel is set up using virtual tunnel interfaces, you can configure a standby tunnel interface on the branch gateway and apply an IPSec profile to the standby interface to provide a standby link for IPSec setup. Meanwhile, you need to configure the heartbeat or DPD mechanism to implement fast switching between the active and standby tunnels upon a tunnel fault.
- Configuring a Tunnel Template Interface
Run system-view
The system view is displayed.
Run interface tunnel-template interface-number
The tunnel template interface view is displayed.
Configuring the IP address of the tunnel template interface.
Run ip address ip-address { mask | mask-length } [ sub ]
The IPv4 address of the tunnel template interface is configured.
Run ip address unnumbered interface interface-type interface-number
The tunnel template interface is configured to borrow an IP address from another interface.
You only need to run one of the preceding commands.
Run tunnel-protocol ipsec
The encapsulation mode of the tunnel template interface is set to IPSec.
Run source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type interface-number }
The source address or source interface is configured for the tunnel template interface.
![]()
If the source address of the tunnel template interface is dynamically obtained, you are advised to specify the source interface when running the source command. This prevents the impact of address change on the IPSec configuration.
(Optional) Run tunnel pathmtu enable
The device is enabled to learn the MTU of packets allowed on an IPSec tunnel.
By default, the device cannot learn the MTU of packets allowed on an IPSec tunnel.
Run ipsec profile profile-name
The IPSec profile is applied to a tunnel template interface so that data flows on the interface are protected by IPSec.
By default, no IPSec profile is applied to the tunnel template interface.
You can apply only one IPSec profile to a tunnel template interface. An IPSec profile can be applied to only one tunnel template interface.
When the number of IPSec tunnels on the device is larger than 50% of the maximum limit, running the undo ipsec profile command may cause a high CPU usage alarm for a short period. After all SAs are cleared, the CPU usage returns to the normal range.
Configuration Guidelines
- The IPSec profile configuration applied to a tunnel interface is deleted if you modify the value of the parameter source or destination on the tunnel interface. Apply the IPSec profile to the tunnel interface again.
- If you modify the tunnel-protocol parameter of a tunnel interface, the IPSec policy group applied to the tunnel interface will be deleted. After the modification, apply IPSec policy group to the tunnel interface as required.
- The IPSec profile configuration applied to a tunnel template interface is deleted if you modify the value of the parameter source on the tunnel template interface. Apply the IPSec profile to the tunnel template interface again.
- To disable IPSec negotiation, you must run the shutdown command to shut down the corresponding physical interface but not the tunnel interface.