Configuring automatic triggering of IPSec VPN on the firewall

Configuring automatic IPSec triggering (automatic negotiation) on the USG
The auto-neg option can be configured in the case of establishing an IPSec tunnel in non-template mode, which indicates that an IPSec tunnel is established through auto-negotiation. If this option is not selected, traffic triggers the establishment of an IPSec tunnel.
In the case of tunnel establishment in template mode, the configuration template end cannot proactively initiate the negotiation. In this case, if the non-template end does not send traffic, the tunnel fails to be established. At this moment, you can configure the auto-neg command on the non-template end to enable the IPSec auto-negotiation function. After auto-neg is configured at the non-template end, the system immediately checks data flows one by one. The non-template end proactively sends a negotiation request to the template end when no traffic is transmitted, and establishes an IPSec tunnel. The check is performed at a certain interval (far smaller than the SA lifetime) to ensure that all tunnels in the system are in the status of established.
Configuration example
Apply an IPSec policy group named policy1 to GigabitEthernet 0/0/3 and proactively initiate a tunnel connection.
system-view
[sysname] interface GigabitEthernet 0/0/3
[sysname-GigabitEthernet0/0/3] ipsec policy policy1 auto-neg

Scroll to top