Does the IPsec VPN Support Automatic Negotiation?

4



The IPsec VPN tunnel works in passive mode, which triggers automatic negotiation only when traffic sent by the local end passes through the tunnel.



Other related questions:
Configuring automatic triggering of IPSec VPN on the firewall
Configuring automatic IPSec triggering (automatic negotiation) on the USG The auto-neg option can be configured in the case of establishing an IPSec tunnel in non-template mode, which indicates that an IPSec tunnel is established through auto-negotiation. If this option is not selected, traffic triggers the establishment of an IPSec tunnel. In the case of tunnel establishment in template mode, the configuration template end cannot proactively initiate the negotiation. In this case, if the non-template end does not send traffic, the tunnel fails to be established. At this moment, you can configure the auto-neg command on the non-template end to enable the IPSec auto-negotiation function. After auto-neg is configured at the non-template end, the system immediately checks data flows one by one. The non-template end proactively sends a negotiation request to the template end when no traffic is transmitted, and establishes an IPSec tunnel. The check is performed at a certain interval (far smaller than the SA lifetime) to ensure that all tunnels in the system are in the status of established. Configuration example Apply an IPSec policy group named policy1 to GigabitEthernet 0/0/3 and proactively initiate a tunnel connection. system-view [sysname] interface GigabitEthernet 0/0/3 [sysname-GigabitEthernet0/0/3] ipsec policy policy1 auto-neg

IPSec VPN
IIPsec VPN is an encrypted tunneling technology that uses encrypted security services to establish confidential and secure communication tunnels between different networks.

IPSec support by AR series routers
Huawei AR series routers support IPSec. Among which, the AR502EG-L, AR502EGW-L, and AR550C-2C6GE do not support Efficient VPN. To support the IPSec protocol standard regulated by the State Cryptography Administration, the AR must have a Network Data Encryption (NDE) card or high-performance Network Data Encryption card installed in a SIC slot. Efficient VPN does not support the IPSec protocol standard regulated by the State Cryptography Administration. The AR510 does not support the IPSec tunnel that is established using an ACL or a virtual tunnel interface. It supports only the IPSec tunnel that is established using Efficient VPN and can only be used as a remote device. Efficient VPN function requires a license. To use the Efficient VPN function, apply for and purchase the following license from the Huawei local office: - AR150&AR160&AR200&AR150-S&AR160-S&AR200-S: AR150&160&200 value-added service package for security services -AR1200&AR1200-S: AR1200 value-added service package for security services -AR2200&AR2200-S: AR2200 value-added service package for security services -AR3200&AR3200-S: AR3200 value-added service package for security services -AR3600: AR3600 value-added service package for security services -AR531-2C-H and AR531-F2C-H: AR530 value-added router package -AR550: AR550 value-added service package for routing services Note: The IPSec function can be used without a license on the AR120, AR503, AR509, and AR510 series, AR531GPe-U-H, AR531GR-U-H, AR531G-U-D-H, AR100-S, AR110-S, AR120-S series, and AR2500 series. In V200R007C00, the AR150-S, AR160-S, AR200-S, and AR1200-S do not require a license. In V200R008 and later versions, the AR150-S series, AR160-S series, AR200-S series, and AR1200-S series do not require a license. For details on how to apply for a license, see License Request guide.

Whether the firewall supports the IPSec VPN license
Support of the IPSec VPN license on the USG IPSec license control on the USG: 1. If the license is not activated on the USG5300, the IPSec function, web UI, and CLI are unavailable. After a commercial license is purchased and activated, a maximum of 15,000 tunnels are supported. 2. There is no description about IPSec license control on the USG2000&5000. Therefore, no license is required. 3. There is no description about IPSec license control on the USG6000. Therefore, no license is required by default.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top