Configuration guide vpn(v200 r002c00-02)

Huawei AR150&200 Series Enterprise Routers
V200R002C00
Configuration Guide - VPN
Issue 02
Date 2012-03-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i

About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN supported by the AR150/200 device.
This document describes how to configure the VPN.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
WARNING
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
CAUTION
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.
NOTE Provides additional information to emphasize or supplement
important points of the main text.
Configuration Guide - VPN About This Document
ii

Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by vertical
bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by vertical
bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by vertical
bars. A minimum of one item or a maximum of all items can be
selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by vertical
bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions
Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 02 (2012-03-30)
Based on issue 01 (2011-12-30), the document is updated as follows:
The following information is modified:
l 5.4 Managing SSL VPN Users
l Example for Configuring the SSL VPN Gateway
Changes in Issue 01 (2011-12-30)
Initial commercial release.
Configuration Guide - VPN About This Document
iii

Contents
About This Document.....................................................................................................................ii
1 GRE Configuration.......................................................................................................................1
1.1 Introduction to GRE...........................................................................................................................................2
1.2 GRE Features Supported by the AR150/200......................................................................................................2
1.3 Configuring GRE................................................................................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Configuring Routes for the Tunnel............................................................................................................5
1.3.4 (Optional) Configuring GRE Security Options.........................................................................................6
1.3.5 Checking the Configuration.......................................................................................................................7
1.4 Configuring the Keepalive Function..................................................................................................................8
1.4.1 Establishing the Configuration Task.........................................................................................................8
1.4.2 Enabling the Keepalive Function..............................................................................................................9
1.4.3 Checking the Configuration.....................................................................................................................10
1.5 Maintaining GRE..............................................................................................................................................11
1.5.1 Resetting the Statistics of a Tunnel Interface..........................................................................................11
1.5.2 Monitoring the Running Status of GRE..................................................................................................11
1.5.3 Debugging GRE......................................................................................................................................12
1.6 Configuration Examples...................................................................................................................................12
1.6.1 Example for Configuring a Static Route for GRE...................................................................................12
1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................17
1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........20
1.6.4 Example for Configuring the CE to Access a VPN Through a GRE Tunnel of the Public Network
..........................................................................................................................................................................27
1.6.5 Example for Configuring the Keepalive Function for GRE....................................................................34
2 L2TP Configuration.....................................................................................................................38
2.1 L2TP Overview................................................................................................................................................39
2.1.1 Introduction to L2TP...............................................................................................................................39
2.1.2 L2TP Features Supported by the AR150/200..........................................................................................39
2.2 Configuring Basic L2TP Functions..................................................................................................................40
2.2.1 Establishing the Configuration Task.......................................................................................................40
2.2.2 Configuring Basic L2TP Capability........................................................................................................41
2.3 Configuring LAC..............................................................................................................................................42
Configuration Guide - VPN Contents
iv

2.3.2 Configuring an L2TP Connection on LAC Side.....................................................................................43
2.3.3 (Optional) Configuring LAC Auto-Dial..................................................................................................43
2.3.4 (Optional) Configuring Local Authentication on LAC Side...................................................................45
2.3.5 (Optional) Configuring RADIUS Authentication on LAC Side.............................................................45
2.4 Configuring LNS..............................................................................................................................................48
2.4.2 Configuring an L2TP Connection on LNS..............................................................................................50
2.4.3 (Optional) Configuring User Authentication on LNS.............................................................................51
2.4.4 Allocating Addresses to Access Users....................................................................................................52
2.5 Adjusting L2TP Connection.............................................................................................................................53
2.5.2 Configuring Security Options for L2TP Connection..............................................................................54
2.5.3 Configuring L2TP Connection Parameters.............................................................................................55
2.6 Maintaining L2TP.............................................................................................................................................56
2.6.1 Disconnecting a Tunnel Forcibly............................................................................................................56
2.6.2 Monitoring the Running Status of L2TP.................................................................................................56
2.6.3 Debugging L2TP Information.................................................................................................................57
2.7 Configuration Examples...................................................................................................................................57
2.7.1 Example for Configuring NAS-Initialized VPNs (Domain Name Access)............................................57
2.7.2 Example for Configuring NAS-Initialized VPNs (Dialup Access).........................................................62
2.7.3 Example for Configuring Client-Initialized VPNs..................................................................................65
2.7.4 Example for Configuring LAC-Auto-Initiated VPN...............................................................................68
3 IPSec Configuration....................................................................................................................72
3.1 IPSec Overview................................................................................................................................................74
3.2 IPSec Features Supported by the AR150/200..................................................................................................75
3.3 Establishing an IPSec Tunnel Manually...........................................................................................................76
3.3.2 Defining Protected Data Flows................................................................................................................77
3.3.3 Configuring an IPSec Proposal................................................................................................................78
3.3.4 Configuring an IPSec Policy...................................................................................................................78
3.3.5 Applying an IPSec Policy to an Interface................................................................................................80
3.4 Establishing an IPSec Tunnel Through IKE Negotiation.................................................................................81
3.4.2 Defining Protected Data Flows................................................................................................................82
3.4.3 (Optional) Configuring an IKE Proposal.................................................................................................83
3.4.4 Configuring an IKE Peer.........................................................................................................................84
3.4.5 Configuring an IPSec Proposal................................................................................................................86
3.4.6 Configuring an IPSec Policy...................................................................................................................87
v

3.4.7 Configuring an IPSec Policy Template...................................................................................................88
3.4.8 (Optional) Setting Optional Parameters..................................................................................................89
3.4.9 (Optional) Configuring Route Injection..................................................................................................91
3.4.10 Applying an IPSec policy to an interface..............................................................................................91
3.4.11 Checking the Configuration...................................................................................................................92
3.5 Establishing an IPSec Tunnel Using an IPSec Tunnel Interface......................................................................92
3.5.2 Configuring an IPSec Profile...................................................................................................................93
3.5.3 Configuring an IPSec Tunnel Interface...................................................................................................94
3.6 Establishing an IPSec Tunnel Using the Efficient VPN Policy.......................................................................96
3.6.2 Configuring Client Mode.........................................................................................................................97
3.6.3 Configuring Network Mode..................................................................................................................100
3.6.4 Verifying the Configuration..................................................................................................................103
3.7 Maintaining IPSec..........................................................................................................................................103
3.7.1 Displaying the IPSec Configuration......................................................................................................103
3.7.2 Clearing IPSec Information...................................................................................................................104
3.8 Configuration Examples.................................................................................................................................104
3.8.1 Example for Establishing an SA Manually...........................................................................................105
3.8.2 Example for Configuring IKE Negotiation Using Default Settings......................................................109
3.8.3 Example for Configuring IKE Negotiation...........................................................................................114
3.8.4 Example for Establishing an IPSec Tunnel Using an IPSec Tunnel Interface......................................121
3.8.5 Example for Establishing an SA Using Efficient VPN in Client Mode................................................125
3.8.6 Example for Establishing an SA Using Efficient VPN in Network Mode............................................130
4 DSVPN Configuration.............................................................................................................134
4.1 DSVPN Overview..........................................................................................................................................135
4.2 DSVPN Features Supported by the AR150/200.............................................................................................135
4.3 Configuring DSVPN.......................................................................................................................................136
4.3.1 Establishing the Configuration Task.....................................................................................................136
4.3.2 Configuring MGRE...............................................................................................................................137
4.3.3 Configuring Tunnel Routes...................................................................................................................137
4.3.4 Configuring NHRP on a Branch............................................................................................................138
4.3.5 Configuring NHRP on the Central Office.............................................................................................139
4.3.6 (Optional) Configuring an IPSec Profile...............................................................................................140
4.4 Maintaining DSVPN.......................................................................................................................................142
4.4.1 Displaying the DSVPN Configuration..................................................................................................142
4.4.2 Clearing DSVPN Statistics....................................................................................................................142
4.5.1 Example for Configuring DSVPN When Branches Learn Routes from Each Other............................143
vi

4.5.2 Example for Configuring DSVPN When Branches Have Only Summarized Routes to the Central Office
........................................................................................................................................................................148
5 SSL VPN Configuration...........................................................................................................153
5.1 SSL VPN Overview........................................................................................................................................154
5.2 SSL VPN Features Supported by the AR150/200..........................................................................................155
5.3 Configuring Basic SSL VPN Functions.........................................................................................................156
5.3.2 Creating a Virtual Gateway...................................................................................................................157
5.3.3 Configuring Intranet and Extranet Interfaces........................................................................................157
5.3.4 Binding an AAA Domain to the Virtual Gateway................................................................................158
5.3.5 Enabling Basic SSL VPN Functions.....................................................................................................159
5.4 Managing SSL VPN Users.............................................................................................................................160
5.5 Configuring SSL VPN Services.....................................................................................................................162
5.5.2 Creating a Virtual Gateway...................................................................................................................163
5.5.3 Configuring the Web Proxy Service......................................................................................................163
5.5.4 Configuring the Port Forwarding Service.............................................................................................164
5.5.5 Configuring the IP Forwarding Service.................................................................................................165
5.6.1 Example for Configuring the SSL VPN Gateway.................................................................................167
vii

1GRE Configuration
About This Chapter
Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer
protocols so that the encapsulated packets can be transmitted over the IPv4 network.
1.1 Introduction to GRE
The transmission of packets in a Generic Routing Encapsulation (GRE) tunnel involves two
processes: encapsulation and decapsulation. After receiving a packet of a certain network layer
protocol that needs to be encapsulated and routed, the system adds a GRE header to the packet,
and encapsulates the packet into a packet of another protocol, such as IP.
1.2 GRE Features Supported by the AR150/200
GRE features supported by the AR150/200 include the following: enlargement of the operation
scope of the network running a hop-limited protocol, and working in conjunction with the IP
Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.
1.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
1.4 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel
Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that
cannot reach the remote end, and data loss can be avoided.
1.5 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface and monitor the GRE
running status.
1.6 Configuration Examples
Familiarize yourself with the configuration procedures against the networking diagrams. This
section provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
Configuration Guide - VPN 1 GRE Configuration
1

1.1 Introduction to GRE
The transmission of packets in a Generic Routing Encapsulation (GRE) tunnel involves two
processes: encapsulation and decapsulation. After receiving a packet of a certain network layer
protocol that needs to be encapsulated and routed, the system adds a GRE header to the packet,
and encapsulates the packet into a packet of another protocol, such as IP.
GRE encapsulates the packets of certain network layer protocols. After encapsulation, these
packets can be transmitted over the network by another network layer protocol, such as IP.
GRE can serve as a Layer 3 tunneling protocol for VPNs. A tunnel is a virtual point-to-point
connection and can be regarded as a virtual interface that supports only point-to-point
connections. This interface provides a path to transmit encapsulated datagrams. GRE
encapsulates and decapsulates datagrams at both ends of the tunnel.
1.2 GRE Features Supported by the AR150/200
GRE features supported by the AR150/200 include the following: enlargement of the operation
scope of the network running a hop-limited protocol, and working in conjunction with the IP
Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.
Enlarging the Operation Scope of the Network Running a Hop-Limited Protocol
If the hop count between two terminals in Figure 1-1 is more than 15, the two terminals cannot
communicate with each other.
Figure 1-1 Networking diagram of enlarged network operation scope
IP
network
IP
network
IP
network
PC PC
Tunnel
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Working in Combination with IPSec to Compensate for the IPSec Flaw in Multicast
Data Protection
Based on GRE, multicast data can be encapsulated and transmitted in the GRE tunnel. Based on
IPSec, only the unicast data can realize encrypted protection.
2

Figure 1-2 Networking diagram of GRE-IPSec tunnel application
IPSec tunnel
GRE tunnel
Internet
Corporate
intranet
Remote
office
network
As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the
GRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulated
multicast data with IPSec. When these tasks are performed, the encrypted multicast data can be
transmitted in the IPSec tunnel.
1.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
1.3.1 Establishing the Configuration Task
Before configuring a GRE tunnel, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration.
Applicable Environment
To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on the
tunnel interface. If the tunnel interface is deleted, all the configurations on the interface are
deleted.
Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following task:
l Configuring reachable routes between the source and destination interfaces
Data Preparation
To configure an ordinary GRE tunnel, you need the following data.
No. Data
1 Number of the tunnel interface
2 Source address and destination address of the tunnel
3

No. Data
3 IP address of the tunnel interface
4 Key of the tunnel interface
1.3.2 Configuring a Tunnel Interface
After creating a tunnel interface, specify GRE as the encapsulation type, set the tunnel source
address or source interface, and set the tunnel destination address. In addition, set the tunnel
interface network address so that the tunnel can support dynamic routing protocols.
Context
Perform the following steps on the routers at the two ends of a tunnel.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
A tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated with GRE.
Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel is configured.
NOTE
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
Step 5 Run:
destination ip-address
The destination address of the tunnel is configured.
Step 6 (Optional) Run:
mtu mtu
The Maximum Transmission Unit (MTU) of the tunnel interface is modified.
4

The new MTU takes effect only after you run the shutdown command and the undo
shutdown command on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
To support dynamic routing protocols on a tunnel, configure a network address for the tunnel
interface. The network address of the tunnel interface may not be a public address, but should
be in the same network segment on both ends of the tunnel.
By default, the network address of a tunnel interface is not set.
----End
1.3.3 Configuring Routes for the Tunnel
Routes for a tunnel must be available on both the source and destination devices so that packets
encapsulated with GRE can be forwarded correctly. A route passing through tunnel interfaces
can be a static route or a dynamic route.
Context
Perform the following steps on the devices at two ends of a tunnel.
NOTE
The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination routers.
Procedure
Step 1 Run:
system-view
Step 2 Choose one of the following methods to configure routes passing through the tunnel interface.
l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number
[ description text ] command to configure a static route.
The static route must be configured on both ends of the tunnel. In this command, the
destination address is neither the destination address of the tunnel nor the address of the
opposite tunnel interface, but the destination address of the packet that is not encapsulated
with GRE. The outbound interface must be the local tunnel interface.
l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here.
For the configuration of dynamic routes, see the AR150/200 Configuration Guide - IP
Routing.
When configuring a dynamic routing protocol, enable the dynamic routing protocol on both
the tunnel interface and the interface connected to the private network. To ensure correct
routing, do not choose the tunnel interface as the next hop when configuring the route to the
physical or logical interface of the destination tunnel.
Use Router A in Figure 1-3 as an example. The source interface of Tunnel 0/0/1 is Eth 1/0/0
on Router A, and its destination interface is Eth 2/0/0 on Router C. If a dynamic routing
5

protocol is used, the protocol must be configured on the tunnel interface and the Eth interface
connected to the PC. Moreover, in the routing table of Router A, the egress with the
destination as the network segment where Eth 2/0/0 on Router C resides cannot be Tunnel
0/0/1.
In practical configurations, configure a multi-process routing protocol or change the metric
value of the tunnel interface. This prevents the tunnel interface from being selected as the
outbound interface of routes to the destination physical interface of the tunnel.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. With one of these procedures in place, you can avoid selecting a tunnel interface
as an outbound interface for packets destined for the destination of the tunnel. In addition, a
physical interface is prevented from forwarding user packets that should be forwarded
through the tunnel.
Figure 1-3 Diagram of configuring the GRE dynamic routing protocol
RouterA RouterC
Tunnel0/0/1 Tunnel0/0/2
PC2PC1
Eth1/0/0 Eth2/0/0
Backbone
Eth2/0/0 Eth1/0/0
Tunnel
----End
1.3.4 (Optional) Configuring GRE Security Options
To enhance the security of a GRE tunnel, configure end-to-end checksum authentication or key
authentication. This security mechanism can prevent the tunnel interface from incorrectly
identifying and receiving packets from other devices.
Context
Perform the following steps on the routers at two ends of a tunnel.
Procedure
Step 1 Run:
system-view
Step 2 Run:
6

The tunnel interface view is displayed.
Step 3 Run:
gre checksum
End-to-end checksum authentication is configured for the tunnel.
By default, end-to-end checksum authentication is disabled.
Step 4 Run:
gre key key-number
The key is set for the tunnel interface.
If the keys are set for tunnel interfaces on the two ends of the tunnel, ensure that they have the
same key number. Alternatively, you may choose not to set the keys for tunnel interfaces on
both ends of the tunnel.
By default, no key is configured for the tunnel.
NOTE
Step 3 and Step 4 can be performed in random order.
----End
1.3.5 Checking the Configuration
After a GRE tunnel is set up, you can view the running status and routing information about the
tunnel interface.
Context
The configurations of the GRE function are complete.
Procedure
l Run the display interface tunnel [ interface-number ] command to check tunnel interface
information.
l Run the display ip routing-table command to check the IPv4 routing table.
l Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End
Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
succeeds. For example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
7

Current system time: 2008-03-04 19:17:30
300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input bandwidth utilization : --
Output bandwidth utilization : --
Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Ethernet2/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel0/0/2
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/2
Run the ping -a source-ip-address host command to see that the ping from the local tunnel
interface to the destination tunnel succeeds.
<Huawei> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24 ms
--- 40.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
1.4 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel
Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that
cannot reach the remote end, and data loss can be avoided.
Before configuring the GRE tunnel Keepalive function, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel
status. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data
black hole.
8

Figure 1-4 GRE tunnel supporting Keepalive
RouterA RouterB
GRE tunnel
Source DestinationInternet
Before configuring the Keepalive function, complete the following tasks:
l Configuring the link layer attributes of the interfaces
l Assigning IP addresses to the interfaces
l Establishing the GRE tunnel and keeping the tunnel Up
Data Preparation
To configure the Keepalive function, you need the following data.
No. Data
1 Interval for sending Keepalive messages
2 Retry times of the unreachable timer
1.4.2 Enabling the Keepalive Function
The GRE tunnel Keepalive function is unidirectional. To implement the Keepalive function on
both ends, enable the Keepalive function on both ends of a GRE tunnel.
Context
Perform the following steps on the router that requires the Keepalive function.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
tunnel-protocol gre
9

The tunnel is encapsulated with GRE.
Step 4 Run:
keepalive [ period period [ retry-times retry-times ] ]
The Keepalive function is enabled.
The GRE tunnel Keepalive function is unidirectional. Therefore, to realize the Keepalive
function on both ends, enable the Keepalive function on both ends of a GRE tunnel. One end
can be configured with the Keepalive function regardless of whether the remote end is enabled
with the Keepalive function. But it is still recommended to enable the Keepalive function on
both ends of the GRE tunnel.
TIP
Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the GRE tunnel Keepalive
function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote
end, and the data loss can be avoided. The reasons for enabling the Keepalive function are listed below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.
----End
1.4.3 Checking the Configuration
After a GRE tunnel is enabled with the Keepalive function, you can view the Keepalive packets
and Keepalive Response packets sent and received by the GRE tunnel interfaces.
Prerequisites
The Keepalive function is enabled on the GRE tunnel.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
display keepalive packets count
Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.
----End
Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command to ascertain the number of sent Keepalive packets and received
10

Keepalive Response packets on both the local end and the remote end. If the Keepalive function
is successfully configured on the local tunnel interface, the number of sent Keepalive packets
or received Keepalive Response packets on the local end is not 0.
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol gre
[Huawei-Tunnel0/0/1] keepalive
[Huawei-Tunnel0/0/1] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers.
1.5 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface and monitor the GRE
running status.
1.5.1 Resetting the Statistics of a Tunnel Interface
When you need to reset the statistics of a tunnel interface, you can run the reset commands to
clear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnel
interface.
Procedure
l Run the reset counters interface tunnel [ interface-number ] command in the system view
to reset statistics about the tunnel interface.
l Reset statistics about Keepalive packets on the tunnel interface.
1. Run:
system-view
2. Run:
3. Run:
reset keepalive packets count
Reset the statistics on Keepalive packets on the tunnel interface.
NOTE
You can run the reset keepalive packets count command only in the tunnel interface view,
and the interface tunnel protocol must be GRE.
----End
1.5.2 Monitoring the Running Status of GRE
In routine maintenance, you can run the GRE related display commands to view the GRE running
status.
Context
In routine maintenance, you can run the following commands to view the GRE running status.
11

Procedure
l Run the display interface tunnel [ interface-number ] command to check the tunnel
interface running status.
l Run the display ip routing-table command to check the routing table on the CE.
----End
1.5.3 Debugging GRE
When a GRE fault occurs, you can run the L2TP related debugging commands to debug GRE
and locate the fault.
Context
NOTE
The debugging process affects system performance. Therefore, after finishing the debugging process, run
the undo debugging all command immediately to disable the debugging.
When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.
Procedure
l Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.
----End
Familiarize yourself with the configuration procedures against the networking diagrams. This
section provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
1.6.1 Example for Configuring a Static Route for GRE
This section provides an example for configuring a static route for GRE. In this networking,
traffic between users is transmitted through a GRE tunnel; a static route is configured between
the device and its connected client.
Networking Requirements
In Figure 1-5, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC
2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
NOTE
AR150/200 is RouterA, or RouterC.
12

Figure 1-5 Networking diagram of configuring a static route for GRE
RouterA RouterC
RouterB
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
10.2.1.1/2410.1.1.1/24
Eth0/0/1
VLANIF 11
10.1.1.2/24
Eth0/0/8
20.1.1.1/24
Eth1/0/0
20.1.1.2/24
Eth0/0/8
30.1.1.2/24
Eth2/0/0
30.1.1.1/24
Eth0/0/1
VLANIF 11
10.2.1.2/24
Tunnel
PC1 PC2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a dynamic routing protocol on routers.
2. Create a tunnel interface on Router A and Router C.
3. Specify the source address of the tunnel interface as the IP address of the interface that
sends the packet.
4. Specify the destination address of the tunnel interface as the IP address of the interface that
receives the packet.
5. Assign network addresses to the tunnel interfaces to enable the tunnel to support the
dynamic routing protocol.
6. Configure the static route between Router A and its connected PC, and the static route
between Router C and its connected PC to make the traffic between PC1 and PC2
transmitted through the GRE tunnel.
7. Configure the egress of the static route as the local tunnel interface.
Data Preparation
To complete the configuration, you need the following data:
l Data for running OSPF
l Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces
Procedure
Step 1 Assign an IP address to each interface.
13

Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
# Configure Router A.
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure Router B.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure Router C.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find that they both learn the OSPF route to the network segment of the remote interface.
Take Router A as an example.
[RouterA] display ip routing-table
------------------------------------------------------------------------------
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Ethernet
0/0/8
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Ethernet
0/0/8
Step 3 Configure the tunnel interface.
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 24
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] quit
[RouterC] interface tunnel 0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 24
[RouterC-Tunnel0/0/1] source 30.1.1.2
14

[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can
ping each other successfully.
Take Router A as an example:
[RouterA] ping -a 40.1.1.1 40.1.1.2
0.00% packet loss
Step 4 Configure a static route.
[RouterA] ip route-static 10.2.1.0 24 tunnel 0/0/1
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/1
After the configuration, run the displayip routing-table command on Router A and Router C.
You can find the static route to the network segment of the remote user end through the tunnel
interface.
------------------------------------------------------------------------------
10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel0/0/1
0/0/8
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Ethernet
0/0/8
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/1
PC 1 and PC 2 can ping each other successfully.
----End
Configuration Files
l Configuration file of Router A
15

#
sysname RouterA
#
vlan batch 11
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 11
#
ip address 20.1.1.1 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1
#
return
l Configuration file of Router B
#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of Router C
#
sysname RouterB
#
vlan batch 11
#
interface Vlanif11
ip address 10.2.1.2 255.255.255.0
#
#
ip address 30.1.1.2 255.255.255.0
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
#
ospf 1
area 0.0.0.0
16

network 30.1.1.0 0.0.0.255
#
#
return
1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE
This section provides an example for configuring a dynamic route for GRE. In this networking,
traffic between users is transmitted through a GRE tunnel; a dynamic route is configured between
the device and its connected user.
In Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network
and OSPF process 2 is used for user access.
NOTE
Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE
RouterA RouterC
RouterB
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
10.2.1.1/24
10.1.1.1/24
Eth0/0/1
VLANIF 11
10.1.1.2/24
Eth0/0/8
20.1.1.1/24
Eth1/0/0
20.1.1.2/24
Eth0/0/8
30.1.1.2/24
Eth2/0/0
30.1.1.1/24
Eth0/0/1
VLANIF 11
10.2.1.2/24
OSPF 1
OSPF 2
PC1 PC2
Tunnel
17

1. Configure IGP on each router in the backbone network to realize the interworking between
these devices. Here OSPF process 1 is used.
2. Create the GRE tunnel between routers that are connected to PCs.Then routers can
communicate through the GRE runnel.
3. Configure the dynamic routing protocol on the network segments through which PCs access
the backbone network. Here OSPF process 2 is used.
Data Preparation
l Source address and destination address of the GRE tunnel
l IP addresses of the interfaces on both ends of the GRE tunnel
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-6. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
The specific configuration procedures are the same as those in 1.6.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 3 Configuring the tunnel interfaces
The specific configuration procedures are the same as those in 1.6.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 4 Configure OSPF on the tunnel interfaces.
[RouterA] ospf 2
[RouterA-ospf-2] area 0
[RouterA-ospf-2-area-0.0.0.0] quit
[RouterA-ospf-2] quit
[RouterC] ospf 2
[RouterC-ospf-2] area 0
[RouterC-ospf-2-area-0.0.0.0] quit
[RouterC-ospf-2] quit
Step 5 Verify the configuration.
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find the OSPF route to the network segment of the remote user end through the tunnel
interface. Moreover, the next hop to the destination physical address (30.1.1.0/24) of the tunnel
is not the tunnel interface.
18

------------------------------------------------------------------------------
10.2.1.0/24 OSPF 60 0 D 40.1.1.1 Tunnel0/0/1
0/0/8
30.1.1.0/24 OSPF 10 2 D 20.1.1.2 Ethernet
0/0/8
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/1
PC 1 and PC 2 can ping each other successfully.
----End
Configuration Files
#
sysname RouterA
#
vlan batch 11
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
#
#
ip address 20.1.1.1 255.255.255.0
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
19

ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname RouterC
#
vlan batch 11
#
interface Vlanif11
ip address 10.2.1.2 255.255.255.0
#
#
ip address 30.1.1.2 255.255.255.0
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN
Multicast Data Encrypted with IPSec
This section provides an example for configuring a GRE tunnel to transmit multicast packets
encrypted with IPSec. In this networking, a GRE tunnel is set up between devices; multicast
packets are encapsulated with GRE and then IPSec.
In Figure 1-7, Router A andRouter C are required to transmit multicast packets, and the multicast
packets must be encrypted through IPSec. Before being encrypted through IPSec, multicast
packets must be encapsulated with GRE because IPSec cannot directly encrypt multicast packets.
NOTE
20

Figure 1-7 Networking diagram of transmitting IPSec-encrypted multicast packets through a
GRE tunnel
RouterA RouterC
RouterB
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
10.2.1.1/2410.1.1.1/24
Eth0/0/1
VLANIF 11
10.1.1.2/24
Eth0/0/8
20.1.1.1/24
Eth1/0/0
20.1.1.2/24
Eth0/0/8
30.1.1.2/24
Eth2/0/0
30.1.1.1/24
Eth0/0/1
VLANIF 11
10.2.1.2/24
GRE with IPSec
1. Configure OSPF on the backbone network devices, namely, Router A, Router B, and
Router C, to realize the interworking between these devices.
2. Create a GRE tunnel between Router A and Router C to encapsulate multicast packets.
3. Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated
multicast packets.
Data Preparation
l Data for configuring the routing protocol for the backbone network
l IP addresses of the interfaces on both ends of the GRE tunnel
l Parameters for configuring IKE such as pre-shared-key and remote-name
l Data for configuring IPSec such as IPSec proposal name and ACL
Procedure
Step 1 Configure the routing protocol.
Configure a routing protocol on Router A, Router B, and Router C to implement the interworking
between these devices. OSPF is configured in this example. The configuration details are not
mentioned here.
After the configuration,
21

l Router A and Router C are routable.
l Router A can successfully ping Eth0/0/8 of Router C.
l Router C can successfully ping Eth0/0/8 of Router A.
Step 2 Configure the interfaces of the GRE tunnel.
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
After the configuration,
l The GRE tunnel between Router A and Router C is set up.
l The status of the tunnel interfaces is Up.
Step 3 Enable multicast.
# Enable the multicast routing protocol globally. Enable PIM DM on the tunnel interfaces, and
enable PIM DM and IGMP on the interfaces connected to the PCs.
[RouterA] multicast routing-enable
[RouterA] interface ethernet 2/0/0
[RouterA-Vlanif11] pim dm
[RouterA-Vlanif11] igmp enable
[RouterA-Vlanif11] quit
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] pim dm
[RouterC] multicast routing-enable
[RouterC] interface ethernet 2/0/0
[RouterC-Vlanif11] pim dm
[RouterC-Vlanif11] igmp enable
[RouterC-Vlanif11] quit
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] pim dm
# After multicast is enabled, the multicast data between Router A and Router C is transmitted
through the GRE tunnel.
Step 4 Configure aggressive IKE negotiation between Router A and Router C.
NOTE
To encapsulate multicast packets with GRE and then encrypt the multicast packets with IPSec, the remote
address in IKE peer mode must be the destination address of the local tunnel.
22

[RouterA] ike local-name rta
[RouterA] ike peer RouterC v1
[RouterA-ike-peer-routerc] exchange-mode aggressive
[RouterA-ike-peer-routerc] local-id-type name
[RouterA-ike-peer-routerc] pre-shared-key 12345
[RouterA-ike-peer-routerc] remote-name rtc
[RouterA-ike-peer-routerc] remote-address 30.1.1.2
[RouterA-ike-peer-routerc] quit
[RouterC] ike local-name rtc
[RouterC] ike peer RouterA v1
[RouterC-ike-peer-routera] exchange-mode aggressive
[RouterC-ike-peer-routera] local-id-type name
[RouterC-ike-peer-routera] pre-shared-key 12345
[RouterC-ike-peer-routera] remote-name rta
[RouterC-ike-peer-routera] remote-address 20.1.1.1
[RouterC-ike-peer-routera] quit
Step 5 Configure IPSec.
NOTE
Encapsulate multicast packets with GRE and then encrypt these packets with IPSec. Note that the source
and destination addresses for the local end of the tunnel must match the ACL of the IPSec policy, and the
IPSec policy must be applied to the physical interface transmitting data.
# Configure IPSec on Router A and Router C. The default parameters of the IPSec proposal is
used in this example.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit ip source 20.1.1.1 0 destination 30.1.1.2 0
[RouterA-acl-adv-3000] quit
[RouterA] ipsec proposal p1
[RouterA-ipsec-proposal-p1] quit
[RouterA] ipsec policy policy1 1 isakmp
[RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-1] ike-peer RouterC
[RouterA-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterA-ipsec-policy-isakmp-policy1-1] quit
[RouterA] interface ethernet 0/0/8
[RouterA-Ethernet0/0/8] ipsec policy policy1
[RouterA-Ethernet0/0/8] quit
[RouterC] acl number 3000
[RouterC-acl-adv-3000] rule permit ip source 30.1.1.2 0 destination 20.1.1.1 0
[RouterC-acl-adv-3000] quit
[RouterC] ipsec proposal p1
[RouterC-ipsec-proposal-p1] quit
[RouterC] ipsec policy policy1 1 isakmp
[RouterC-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterC-ipsec-policy-isakmp-policy1-1] ike-peer RouterA
[RouterC-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterC-ipsec-policy-isakmp-policy1-1] quit
[RouterC] interface ethernet 0/0/8
[RouterC-Ethernet0/0/8] ipsec policy policy1
[RouterC-Ethernet1/0/0] quit
# After the configuration, the multicast data between Router A and Router C can be transmitted
through the GRE tunnel encrypted with IPSec.
Step 6 On the source device and the destination device of the tunnel, configure the tunnel to forward
routes.
23

[RouterA] ip route-static 10.2.1.0 255.255.255.0 tunnel 0/0/1
[RouterC] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1
# After PC1 and PC2 successfully ping each other, you can view that IKE negotiation is
configured and IPSec encryption takes effect.
[RouterA] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
3 30.1.1.2 0 RD 2
2 30.1.1.2 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
[RouterA] display ips sa
===============================
Interface: Ethernet0/0/8
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "policy1"
Sequence number : 1
Mode : ISAKMP
-----------------------------
Connection ID : 3
Encapsulation mode: Tunnel
Tunnel local : 20.1.1.1
Tunnel remote : 30.1.1.2
[Outbound ESP SAs]
SPI: 1644488112 (0x6204e5b0)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436628/3542
Max sent sequence-number: 2
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 2182908365 (0x821c89cd)
Max received sequence-number: 3
[RouterC] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
2 20.1.1.1 0 RD|ST 2
1 20.1.1.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
[RouterC] display ips sa
===============================
Interface: Ethernet0/0/8
Path MTU: 1500
===============================
24

-----------------------------
IPSec policy name: "policy1"
Sequence number : 1
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 30.1.1.2
Tunnel remote : 20.1.1.1
[Outbound ESP SAs]
SPI: 2182908365 (0x821c89cd)
Max sent sequence-number: 5
[Inbound ESP SAs]
SPI: 1644488112 (0x6204e5b0)
Max received sequence-number: 4
----End
Configuration Files
#
sysname RouterA
#
vlan batch 11
#
multicast routing-enable
#
ike local-name rta
#
acl number 3000
rule 5 permit ip source 20.1.1.1 0 destination 30.1.1.2 0
#
ipsec proposal p1
#
ike peer routerc v1
exchange-mode aggressive
pre-shared-key 12345
local-id-type name
remote-name rtc
remote-address 30.1.1.2
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer routerc
proposal p1
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
pim dm
igmp enable
#
#
ip address 20.1.1.1 255.255.255.0
ipsec policy policy1
25

#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
pim dm
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
#
return
#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif11
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname RouterC
#
sysname RouterC
#
vlan batch 11
#
multicast routing-enable
#
ike local-name rta
#
acl number 3000
rule 5 permit ip source 30.1.1.2 0 destination 20.1.1.1 0
#
ipsec proposal p1
#
ike peer routerc v1
exchange-mode aggressive
pre-shared-key 12345
local-id-type name
remote-name rta
remote-address 30.1.1.2
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer routerc
proposal p1
#
interface Vlanif11
ip address 10.2.1.2 255.255.255.0
pim dm
igmp enable
#
26

#
ip address 30.1.1.2 255.255.255.0
ipsec policy policy1
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
pim dm
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
#
return
1.6.4 Example for Configuring the CE to Access a VPN Through a
GRE Tunnel of the Public Network
This section provides an example for configuring a CE to access a VPN through a GRE tunnel
on the public network. In this networking, the PE is indirectly connected to the CE; thus, no
physical interface can be bound to the VPN instance on the PE. Then, a GRE tunnel over the
public network is required between the CE and PE and the GRE tunnel is required to be bound
to the VPN instance on the PE. This allows the CE to access the VPN through the GRE tunnel.
As shown in Figure 1-8,
l routerPE1 and PE2 are located in the MPLS backbone network.
l CE1 is connected to PE1 through R1.
l CE2 is connected to PE2 directly.
l CE1 and CE2 belong to the same VPN.
CE1 and CE2 are required to interwork with each other.
NOTE
AR150/200 is CE1.
27

Figure 1-8 Networking diagram in which CEs access a VPN through the GRE tunnel of the
public network
PE1
PE2
CE1
CE2
R1
PC1
Eth1/0/0
Eth1/0/0
Eth1/0/0
Eth0/0/1
VLANIF 11
PC2
Eth2/0/0
Eth2/0/0
MPLS
Loopback1 Loopback1
Eth2/0/0
Eth1/0/0
Eth0/0/8
Tunnel
Tunnel0/0/1
Tunnel0/0/1
Eth2/0/0
Router Interface IP address
CE1 Vlanif 11 21.1.1.2/24
CE1 Eth0/0/8 30.1.1.1/24
CE1 Tunnel0/0/1 2.2.2.1/24
R1 Eth1/0/0 30.1.1.2/24
R1 Eth2/0/0 50.1.1.1/24
PE1 Loopback1 1.1.1.9/32
PE1 Eth1/0/0 50.1.1.2/24
PE1 Eth2/0/0 110.1.1.1/24
PE1 Tunnel0/0/1 2.2.2.2/24
PE2 Loopback1 3.3.3.9/32
PE2 Eth1/0/0 110.1.1.2/24
PE2 Eth2/0/0 11.1.1.2/24
CE2 Eth1/0/0 11.1.1.1/24
CE2 Eth2/0/0 41.1.1.2/24
PE1 and CE1 are indirectly connected. So the VPN instance on PE1 cannot be bound to the
physical interface on PE1. In such a situation, a GRE tunnel is required between CE1 and PE1.
vpn1 on PE1 can then be bound to the GRE tunnel, and CE1 can access the VPN through the
GRE tunnel.
1. Configure OSPF10 on PE1 and PE2 to implement the interworking between the two
devices, and then enable MPLS.
2. Configure OSPF20 on CE1, R1, and PE1 to implement the interworking between the three
devices.
3. Establish a GRE tunnel between CE1 and PE1.
28

4. Create VPN instances on PE1 and PE2. Then bind the VPN instance on PE1 to the GRE
tunnel interface, and bind the VPN instance on PE2 to the connected physical interface of
CE2.
5. Configure IS-IS routes between CE1 and PE1, and between CE2 and PE2 to implement
the interworking between the CEs and PEs.
6. Configure BGP on PEs to implement the interworking between CE1 and CE2.
Data Preparation
l IP addresses of the interfaces, process ID of the routing protocol, and AS number
l VPN instance names, RDs, and VPN targets on PEs
Procedure
Step 1 Configure the IP address for each interface and the routing protocol for the MPLS backbone
network.
Configure OSPF10 on PE1 and PE2, and then configure MPLS and LDP. The detailed
configurations are not mentioned here.
Step 2 Configure a routing protocol between CE1, R1, and PE1.
Configure OSPF20 on CE1, R1, and PE1. The detailed configurations are not mentioned here.
Step 3 Establish a GRE tunnel between CE1 and PE1.
# Configure CE1.
[CE1] interface tunnel0/0/1
[CE1-Tunnel0/0/1] ip address 2.2.2.1 255.255.255.0
[CE1-Tunnel0/0/1] tunnel-protocol gre
[CE1-Tunnel0/0/1] source 30.1.1.1
[CE1-Tunnel0/0/1] destination 50.1.1.2
# Configure PE1.
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel0/0/1] tunnel-protocol gre
[PE1-Tunnel0/0/1] source 50.1.1.2
[PE1-Tunnel0/0/1] destination 30.1.1.1
# After the configuration, a GRE tunnel is established between CE1 and PE1.
Step 4 Create a VPN instance named vpn1 on PE1 and bind the VPN instance to the GRE tunnel.
[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1-Tunnel0/0/1] ip binding vpn-instance vpn1
[PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
Step 5 Create a VPN instance named vpn1 on PE2 and bind the VPN instance to the Eth interface.
[PE2]ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 200:1
29

[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface ethernet2/0/0
[PE2- Ethernet2/0/0] ip binding vpn-instance vpn1
[PE2- Ethernet2/0/0] ip address 11.1.1.2 255.255.255.0
Step 6 Configure the IS-IS route between CE1 and PE1.
# Configure CE1.
[CE1] isis 50
[CE1-isis-50] network-entity 50.0000.0000.0001.00
[CE1-isis-50] quit
[CE1] interface ethernet1/0/0
[CE1-Ethernet1/0/0] isis enable 50
[CE1-Ethernet1/0/0] quit
[CE1] interface tunnel0/0/1
[CE1-Tunnel0/0/1] isis enable 50
[CE1-Tunnel0/0/1] quit
# Configure PE1.
[PE1] isis 50 vpn-instance vpn1
[PE1-isis-50] network-entity 50.0000.0000.0002.00
[PE1-isis-50] quit
[PE1-Tunnel0/0/1] isis enable 50
[PE1-Tunnel0/0/1] quit
Step 7 Configure the IS-IS route between CE2 and PE2.
# Configure CE2.
[CE2] isis 50
[CE2-isis-50] network-entity 50.0000.0000.0004.00
[CE2-isis-50] quit
# Configure PE2.
[PE2] isis 50 vpn-instance vpn1
[PE2-isis-50] network-entity 50.0000.0000.0003.00
[PE2-isis-50] quit
[PE2] interface ethernet2/0/0
[PE2-Ethernet2/0/0] isis enable 50
[PE2-Ethernet2/0/0] quit
Step 8 Set up the MP-BGP peer relationship between PE1 and PE2.
# On PE1, specify PE2 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE1
and PE2.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
30

[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route isis 50
# On PE2, specify PE1 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE2
and PE1.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] import-route isis 50
Step 9 Import BGP routes into IS-IS.
# Configure PE1.
[PE1] isis 50
[PE1-isis-50] import-route bgp
# Configure PE2.
[PE2] isis 50
[PE2-isis-50] import-route bgp
# After the configuration, CE1 and CE2 can successfully ping each other.
<CE1> ping 41.1.1.2
0.00% packet loss
<CE2> ping 21.1.1.2
0.00% packet loss
----End
Configuration Files
l Configuration file of CE1
#
31

sysname CE1
#
isis 50
network-entity 50.0000.0000.0001.00
#
ip address 21.1.1.2 255.255.255.0
isis enable 50
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
#
#
ip address 2.2.2.1 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
isis enable 50
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of R1
#
sysname R1
#
ip address 30.1.1.2 255.255.255.0
#
ip address 50.1.1.1 255.255.255.0
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
return
l Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0002.00
import-route bgp
#
ip address 50.1.1.2 255.255.255.0
#
ip address 110.1.1.1 255.255.255.0
32

mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ip binding vpn-instance vpn1
ip address 2.2.2.2 255.255.255.0
tunnel-protocol gre
source 50.1.1.2
isis enable 50
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
ospf 20
area 0.0.0.0
network 50.1.1.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger all
#
mpls ldp
#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0003.00
import-route bgp
#
ip address 110.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip binding vpn-instance vpn1
ip address 11.1.1.2 255.255.255.0
isis enable 50
#
33

interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
return
l Configuration file of CE2
#
sysname CE2
#
isis 50
network-entity 50.0000.0000.0004.00
#
ip address 11.1.1.1 255.255.255.0
isis enable 50
#
ip address 41.1.1.2 255.255.255.0
isis enable 50
#
return
1.6.5 Example for Configuring the Keepalive Function for GRE
This section provides an example for configuring the Keepalive function of the GRE tunnel. In
this manner, the VPN does not select the GRE tunnel that cannot reach the remote end, and data
loss can be avoided.
As shown in Figure 1-9, Router A and Router B are configured with the GRE protocol. The two
ends of the GRE tunnel need be configured with the Keepalive function.
NOTE
34

Figure 1-9 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel
Eth0/0/8
20.1.1.1/24
Eth0/0/8
30.1.1.2/24Internet
GRE Tunnel
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
RouterA RouterB
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP
If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.
Data Preparation
l Data for configuring the routing protocol for the backbone network
l Interval for sending Keepalive messages
l Parameters of unreachable timer
Procedure
Step 1 Configure Router A and Router B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Router A and enable the Keepalive function.
<RouterA> system-view
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3
Step 3 Configure a tunnel on Router B and enable the Keepalive function.
<RouterB> system-view
[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterB-Tunnel0/0/1] source 30.1.1.2
[RouterB-Tunnel0/0/1] destination 20.1.1.1
[RouterB-Tunnel0/0/1] keepalive period 20 retry-times 3
[RouterB-Tunnel0/0/1] quit
# The tunnel interface on Router A can successfully ping the tunnel interface on Router B.
35

<RouterA> ping -a 40.1.1.1 40.1.1.2
0.00% packet loss
# Enable the debugging of the Keepalive messages on Router A and view information about the
Keepalive messages.
<RouterA> terminal monitor
<RouterA> terminal debugging
<RouterA> debugging tunnel keepalive
May 18 2011 11:36:11.590.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive
finished. Received keepalive detecting packet from peer router.
<RouterA>
May 18 2011 11:36:11.590.2+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard u
lKeepaliveReceiveOpposite++ then send mbuf to slave when RECEIVE keepalive packe
t.
<RouterA>
May 18 2011 11:36:11.590.3+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive peer kee
palive on mainboard successfully. Put into decapsulation.
<RouterA>
May 18 2011 11:36:15.120.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive
finished. Received keepalive response packet from peer router.
<RouterA>
May 18 2011 11:36:15.120.2+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive the resp
onse keepalive packet on mainboard successfully, keepalive finished.
<RouterA>
May 18 2011 11:36:15.120.3+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard s
end mbuf to slaveboard when RECEIVE response packet.
----End
Configuration Files
#
sysname RouterA
#
ip address 20.1.1.1 255.255.255.0
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
keepalive period 20
#
return
#
sysname RouterB
#
ip address 30.1.1.2 255.255.255.0
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
36

source 30.1.1.2
keepalive period 20
#
return
37

2L2TP Configuration
About This Chapter
L2TP is a VPN technology that facilitates the tunneling of PPP frames and allows the Layer 2
termination points and PPP session endpoints to reside on different devices.
2.1 L2TP Overview
The L2TP protocol, which embodies the advantages of L2F and PPTP, is a industry standard on
Layer 2 tunnel protocols defined by the IETF.
2.2 Configuring Basic L2TP Functions
In L2TP configurations, you need to configure basic L2TP functions before configuring other
L2TP functions.
2.3 Configuring LAC
After being configured as an LAC, a device determines whether the user is an access user and
whether to initiate a connection to an LNS.
2.4 Configuring LNS
After receiving a tunnel setup request from an LAC, an LNS checks the authentication method
and determines whether to allow the LAC to set up an L2TP tunnel.
2.5 Adjusting L2TP Connection
After an L2TP tunnel is set up, you can configure or adjust L2TP parameters.
2.6 Maintaining L2TP
This section describes how to disconnect a tunnel forcibly, and monitor the running status of
L2TP.
This section provides L2TP configuration examples.
Configuration Guide - VPN 2 L2TP Configuration
38

2.1 L2TP Overview
The L2TP protocol, which embodies the advantages of L2F and PPTP, is a industry standard on
Layer 2 tunnel protocols defined by the IETF.
2.1.1 Introduction to L2TP
L2TP messages are used in the maintenance of L2TP tunnels and transmission of PPP frames.
These messages are transmitted through UDP port 1701 in the TCP/IP protocol suite. L2TP uses
two types of messages: control messages and data messages.
The Point to Point Protocol (PPP) defines a kind of encapsulation technique, which ensures the
transmission of datagram of multiple protocols over Layer 2 point-to-point links. During the
transmission, PPP is performed between users and the Network Access Server (NAS), with Layer
2 link endpoints and PPP session termination points residing on the same device.
The Layer 2 Tunneling Protocol (L2TP) is used to transmit the Layer 2 PPP datagram over a
tunnel. L2TP extends the PPP model because L2TP permits Layer 2 link endpoints and PPP
session termination points to stay at different devices, and can realize information exchange
based on packet-switching technology. By combining the advantages of the Layer 2 Forwarding
(L2F) and Point-to-Point Tunneling Protocol (PPTP), L2TP is defined by the Internet
Engineering Task Force (IETF) as an industry standard of the Layer 2 tunneling protocol.
2.1.2 L2TP Features Supported by the AR150/200
The AR150/200 supports three L2TP tunnel modes.
Three Typical L2TP Tunnel Modes
Figure 2-1 shows the tunnel modes between the remote system and the L2TP Network Server
(LNS), and between the L2TP Access Concentrator (LAC) client (host running L2TP) and LNS.
Figure 2-1 Networking diagram of three typical L2TP tunnel modes
Remote
system
LAC
LAC
LNS
LAC
client
LNS
Internal
server
PSTN/
ISDN
Network
Internal
server
LANPC
Network
39

The three methods to establish an L2TP tunnel are as follows:
l NAS-initialized: initiated by remote users. The remote user connects to the LAC through
Public Switched Telephony Network (PSTN) or Integrated Services Digital Network
(ISDN). The LAC sends a request to the LNS for establishing a tunnel connection through
the Internet. Remote user addresses are assigned by the LNS. The LNS or the agent on the
LAC performs authentication and accounting on the remote user.
l Client-initialized: initiated directly by LAC users who support L2TP. In this mode, LAC
clients can send a request for establishing a tunnel connection directly to an LNS, without
the need to pass through the LAC device. The addresses of the LAC clients are assigned
by the LNS.
l LAC-Auto-Initiated: In most cases, an L2TP user directly dials up to a LAC, and only PPP
connection is established between the user and LAC. If the LAC serves also as a PPP client,
connection between the user and LAC can be established in other modes in addition to PPP.
The users can send IP packets to the LAC, and then the LAC forwards the packets to the
LNS. To make the LAC serve as a PPP client, create a virtual PPP user and server on the
LAC. The virtual PPP user negotiates with the virtual PPP server, and the virtual PPP server
establishes an L2TP tunnel with the LNS to negotiate with the LNS.
The AR150/200 can serve as a LAC and an LNS at the same time, and supports the incoming
calls of multiple concurrent users. If sufficient memory and line capacity are provided, L2TP
can receive and initiate multiple calls at the same time.
2.2 Configuring Basic L2TP Functions
In L2TP configurations, you need to configure basic L2TP functions before configuring other
L2TP functions.
Before configuring basic L2TP functions, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
Applicable Environment
The L2TP group is an important concept that you need to know when configuring L2TP. After
configuring an L2TP group, you can flexibly configure L2TP functions on the device and realize
point-to-point or point-to-multipoint networking applications between the L2TP Access
Concentrator (LAC) and the L2TP Network Server (LNS).
None
Data Preparation
To configure basic L2TP functions, you need the following data.
40

Configuration guide vpn(v200 r002c00-02)

Configuration guide vpn(v200 r002c00-02)

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (12)

Similar to Configuration guide vpn(v200 r002c00-02)

Similar to Configuration guide vpn(v200 r002c00-02) (20)

Recently uploaded

Recently uploaded (12)

Configuration guide vpn(v200 r002c00-02)