Method used to establish an IPSec tunnel through PKI authentication on the AR

Huawei AR routers support IPSec tunnel setup through PKI authentication. It is applicable to AR models that run V200R002C00 or later.
For details about the configuration, see "Example for Configuring Two Devices to Pass PKI Identity Authentication Before Establishing an IPSec Tunnel" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

The preceding example describes how to apply for a certificate using PKI SCEP so that IPSec uses certificate authentication. If you have obtained the certificate and then manually import it to the device, perform the following steps:
1. Run the pki import rsa-key-pair { pem | pkcs12 } [ exportable ] [ password ] command to import the RSA key pair to the device memory.
2. Run the pki import-certificate { ca | local } realm { der | pkcs12 | pem } [ filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ] command to import the CA or local certificate to the device memory.
3. Run the pki match-rsa-key certificate-filename command to check whether the local certificate has the required RSA key pair. If not, an incorrect RSA key pair or local certificate is imported. You need to import a correct RSA key pair or local certificate.

Scroll to top