Method used to configure IPSec between the headquarters and branches on the AR

13

Huawei AR routers support IPSec tunnel for implementing interconnection between the headquarters and branches.
For details about the configuration, see IPSec under "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.
The point-to-multipoint IPSec cases are as follows:
- Example for Establishing Multiple IPSec Tunnels Between the Headquarters and Branches Using the IPSec Policy Template
- Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters
- Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)
- Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL)
- Example for Establishing an IPSec Tunnel In Manual and IKE Negotiation Modes
- Example for Configuring IPSec Reverse Route Injection

Other related questions:
Method used to configure an IPSec tunnel on the AR for mutual access between branches
There are two ways of implementing communication between branches on Huawei AR routers. 1. Branches directly communicate with each other. In this case, implementing communication between branches through configuration of IPSec and DSVPN (not supported by the AR510). For details, see "Example for configuring IPSec-based DSVPN" of "DSVPN Configuration" in Configuration Guide - VPN. 2. Branches communicate with each other through the headquarters. For details, see "Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Method used to configure IPSec on the 3G interface of the AR
Huawei AR series routers can dynamically obtain IP addresses from a service provider to access public network using a 3G interface, and establish IPSec connections with the headquarters. This function applies to V200R002C00 and later versions and all models of the AR. For details, see Typical Configuration Examples.

How to configure AR routers in branches to use a domain name to access the headquarters through DSVPN
In the figure on the right, the branch and headquarters access the Internet through PPPoE dialup, and the branch uses the domain name to access the headquarters through DSVPN. Assume that the public network route is reachable. The following describes only key configurations. 1. Configure Spoke1. The configuration of Spoke2 is similar to that of Spoke1, and is not mentioned here. interface Dialer1 //Configure a dialer interface. link-protocol ppp ppp chap user user@huawei.com //Configure CHAP authentication. ppp chap password cipher huawei@123 //Set the CHAP authentication password to huawei@123. ip address ppp-negotiate dialer user huawei //Configure the peer user name for the dialer interface. dialer bundle 1 //Configure a dialer bundle for the dialer interface. dialer-group 1 // Configure a dialer access group. # interface Tunnel0/0/0 //Configure a DSVPN tunnel interface. ip address 10.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source dialer 1 //Configure the dialer interface as the source interface. ospf network-type broadcast nhrp entry 10.16.1.1 www.123.com register //Configure an NHRP mapping table. # interface GigabitEthernet1/0/0 pppoe-client dial-bundle-number 1 //Configure the PPPoE client to use dialer bundle 1. # dialer-rule //Configure a dialer ACL. dialer-rule 1 ip permit # ip route-static 0.0.0.0 0.0.0.0 dialer1 //Configure a default route pointing to the dialer interface. 2. Configure the hub. dns resolve //Enable the dynamic DNS (DDNS) function. dns server 2.1.1.1 //Configure an IP address for the DNS server. # interface Dialer1 link-protocol ppp ppp chap user user@huawei.com ppp chap password cipher huawei@123 ip address ppp-negotiate dialer user huawei dialer bundle 1 dialer-group 1 ddns apply policy mypolicy //Bind the DDNS policy to the interface. # ddns policy mypolicy //Specify the URL in a DDNS update request. The user name is steven and the password is nevets@123. url ""http://:@members.3322.org/dyndns/update?system=dyndns&hostname=&ip="" username steven password nevets@123 # interface Tunnel0/0/0 ip address 10.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source dialer 1 ospf network-type broadcast nhrp entry multicast dynamic # interface GigabitEthernet1/0/0 pppoe-client dial-bundle-number 1 # dialer-rule dialer-rule 1 ip permit # ip route-static 0.0.0.0 0.0.0.0 dialer1

Method used to set up an IPSec tunnel between two ARs that both use PPPoE dialup
Huawei AR routers support an IPSec tunnel between two ARs that both use PPPoE dialup. For details about the configuration, see "5.4.6 Example for Configuring an IPSec Tunnel for Remote Dial-Up Users to Connect to the Headquarters" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

How to obtain the route of the branch private network when the AR is configured with IPSec and the headquarters provides egress of multiple egresses
When the headquarters connects to multiple branches, consider route selection. You need to obtain the private network routes of branches. Static routes can be configured. However, the static route configuration is complex when there are many branches. When a branch is added each time, a static route needs to be added on the headquarters network, which is inconvenient for maintenance.
On the headquarters, you can run the route inject command to configure route injection, which can be static or dynamic.  
-  When static route injection is enabled, the route generated through the route injection function is added to the local device and the route status does not vary with the tunnel status change. 
-  When dynamic route injection is enabled, the route generated through the route injection function can be added to the local device if the IPSec tunnel is Up, and the route is deleted if the IPSec tunnel is Down.
Compared with static route injection, dynamic route injection associates the generated route with the IPSec tunnel status. When the IPSec tunnel is Down, the AR does not send traffic to the remote end through the IPSec tunnel, preventing traffic loss.

Set the priority of a route generated through dynamic route injection to 10.
<Huawei> system-view 
[Huawei] ipsec policy policy1 10 isakmp 
[Huawei-ipsec-policy-isakmp-policy1-10] route inject dynamic preference 10

 

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top