Establishing An Ipsec Tunnel Manually; Establishing The Configuration Task - Huawei AR1200 series Configuration Manual
Enterprise routers
Hide thumbs
Also See for AR1200 series:
- Configuration manual (342 pages) ,
- User configuration manual (232 pages) ,
- Hardware description (218 pages)
Table of Contents
Advertisement
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
l
l
5.3 Establishing an IPSec Tunnel Manually
You can establish IPSec tunnels manually when the network topology is simple.
5.3.1 Establishing the Configuration Task
Before manually establishing an IPSec tunnel, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
Applicable Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
Pre-configuration Tasks
Before establishing an IPSec tunnel manually, complete the following tasks:
l
l
Issue 01 (2012-04-20)
– Configuring the router as a PE and associating the VPN instance with the PE
interface connected to the CE
An IPSec tunnel established using an IPSec tunnel interface is based on routes. If the
outbound interface in a route is the IPSec tunnel interface, IPSec protects the data flows
forwarded along the route. The IPSec configuration takes effect after the configured IPSec
profile is applied to the IPSec tunnel interface.
The general process of establishing an IPSec tunnel using tunnel interfaces is as follows:
1.
Configure an IPSec proposal to specify the security protocol, authentication algorithm,
encryption algorithm, and encapsulation mode.
2.
Configure an IKE Peer.
3.
Configure an IPSec profile and bind it to an IPSec profile to protect data flows, IKE
peer parameters, and SA lifetime.
4.
Apply the IPSec profile to the IPSec tunnel interface.
When an IPSec tunnel is established using the Efficient VPN policy, only mandatory
parameters, such as the IP address and pre-shared key, need to be configured on the remote
device. Other parameters, such as authentication and encryption algorithms used in IKE
negotiation, and the IPSec proposal, are preconfigured on the server. When the remote
device initiates IPSec tunnel negotiation, it sends its IKE capabilities including
authentication algorithm and encryption algorithm, and IPSec proposal it supports to the
server. The server establishes an IPSec tunnel with the remote device according to the
preconfigured IPSec tunnel parameters and those sent from the remote device.
NOTE
The Efficient VPN function is used with a license. To use the Efficient VPN function, apply for and purchase
the following license from the Huawei local office:
l
AR1200 Value-Added Security Package
Setting parameters of the link-layer protocol for the interfaces to ensure that the link-layer
protocol on the interfaces is Up
Configuring routes between the source and the destination
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5 IPSec Configuration
286
Hide quick links:
Advertisement
Table of Contents
