Can the branch AR with dynamic addresses be configured with DSVPN

42

The branch AR with dynamic address can be configured with DSVPN. DSVPN can be used to dynamically establish Spoke-Spoke tunnels for direct communication between branches when branches use dynamic addresses to access the public network.
For details, see AR150&AR160&AR200&AR510&AR1200&AR2200&AR3200 Typical Configuration Examples.

Other related questions:
How to configure AR routers in branches to use a domain name to access the headquarters through DSVPN
In the figure on the right, the branch and headquarters access the Internet through PPPoE dialup, and the branch uses the domain name to access the headquarters through DSVPN. Assume that the public network route is reachable. The following describes only key configurations. 1. Configure Spoke1. The configuration of Spoke2 is similar to that of Spoke1, and is not mentioned here. interface Dialer1 //Configure a dialer interface. link-protocol ppp ppp chap user user@huawei.com //Configure CHAP authentication. ppp chap password cipher huawei@123 //Set the CHAP authentication password to huawei@123. ip address ppp-negotiate dialer user huawei //Configure the peer user name for the dialer interface. dialer bundle 1 //Configure a dialer bundle for the dialer interface. dialer-group 1 // Configure a dialer access group. # interface Tunnel0/0/0 //Configure a DSVPN tunnel interface. ip address 10.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source dialer 1 //Configure the dialer interface as the source interface. ospf network-type broadcast nhrp entry 10.16.1.1 www.123.com register //Configure an NHRP mapping table. # interface GigabitEthernet1/0/0 pppoe-client dial-bundle-number 1 //Configure the PPPoE client to use dialer bundle 1. # dialer-rule //Configure a dialer ACL. dialer-rule 1 ip permit # ip route-static 0.0.0.0 0.0.0.0 dialer1 //Configure a default route pointing to the dialer interface. 2. Configure the hub. dns resolve //Enable the dynamic DNS (DDNS) function. dns server 2.1.1.1 //Configure an IP address for the DNS server. # interface Dialer1 link-protocol ppp ppp chap user user@huawei.com ppp chap password cipher huawei@123 ip address ppp-negotiate dialer user huawei dialer bundle 1 dialer-group 1 ddns apply policy mypolicy //Bind the DDNS policy to the interface. # ddns policy mypolicy //Specify the URL in a DDNS update request. The user name is steven and the password is nevets@123. url ""http://:@members.3322.org/dyndns/update?system=dyndns&hostname=&ip="" username steven password nevets@123 # interface Tunnel0/0/0 ip address 10.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source dialer 1 ospf network-type broadcast nhrp entry multicast dynamic # interface GigabitEthernet1/0/0 pppoe-client dial-bundle-number 1 # dialer-rule dialer-rule 1 ip permit # ip route-static 0.0.0.0 0.0.0.0 dialer1

Does the AR support DSVPN
Starting from V200R002C00, all models of the AR support DSVPN. For details, see AR150&AR160&AR200&AR510&AR1200&AR2200&AR3200 Typical Configuration Examples.

Can the interface on the AR be configured with IPSec when it dynamically obtains an IP address
The interface can be configured with IPSec when it dynamically obtains an IP address. When the local interface is configured with a dynamic IP address and the remote interface is configured with a fixed IP address, you can configure an IPSec policy template on the remote end to implement IPSec. The 3G interface is used as an example. IKE negotiation is used. The key configuration is as follows: Interface with a dynamic IP address # ike peer peer_3g_1 v1 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set the preshared key to huawei. remote-address 10.5.39.160 //Specify the fixed IP address for the remote end. # ipsec proposal ipsec //Use default security parameters. # ipsec policy ipsec 1 isakmp //Configure an IPSec policy. security acl 3000 ike-peer peer_3g_1 proposal ipsec # interface Cellular0/0/0 ipsec policy ipsec //Apply the IPSec policy to the 3G interface. Other configurations of the 3G interface are not mentioned. # acl 3000 //Configure an ACL. IPSec protects the packets matching the ACL. ... # Interface with a fixed IP address # ipsec proposal ipsec # ike peer peer_3g_2 v1 //The remote interface is configured with a dynamic IP address, so there is no need to specify an IP address for the remote interface. pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set the pre-shared key to huawei. # ipsec policy-template temp 1 //Configure an IPSec policy template. ike-peer peer_3g_2 proposal ipsec # ipsec policy ipsec 1 isakmp template temp //Bind the IPSec policy to the IPSec policy template. # interface GigabitEthernet 1/0/0 //The interface uses a fixed IP address. ipsec policy ipsec ip address 10.5.39.160 255.255.255.255 #

How are IP addresses that cannot be dynamically allocated configured on an AR
During network planning, some IP addresses in the address pool may be used by servers or other hosts, or some clients can be configured with specified IP addresses only. In this case, IP addresses cannot be dynamically allocated in the address pool to prevent IP address conflicts. Assume that IP addresses in the range of 10.10.10.11 to 10.10.10.20 cannot be dynamically allocated. The configuration on the AR is as follows: - Based on the interface address pool: [Huawei] dhcp enable [Huawei] interface gigabitethernet 1/0/1 //Enter the view of the AR interface connected to the DHCP client. [Huawei-GigabitEthernet1/0/1] undo portswitch [Huawei-GigabitEthernet1/0/1] ip address 10.10.10.10 24 [Huawei-GigabitEthernet1/0/1] dhcp select interface [Huawei-GigabitEthernet1/0/1] dhcp server excluded-ip-address 10.10.10.11 10.10.10.20 - Based on the global address pool: [Huawei] dhcp enable [Huawei] interface gigabitethernet 1/0/1 ///Enter the view of the AR interface connected to the DHCP client. [Huawei-GigabitEthernet1/0/1] undo portswitch [Huawei-GigabitEthernet1/0/1] ip address 10.10.10.10 24 [Huawei-GigabitEthernet1/0/1] dhcp select global [Huawei-GigabitEthernet1/0/1] quit [Huawei] ip pool global1 [Huawei-ip-pool-global1] network 10.10.10.0 mask 24 [Huawei-ip-pool-global1] excluded-ip-address 10.10.10.11 10.10.10.20

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top