The capwap dtls control-link encrypt command enables the function of encrypting the CAPWAP control tunnel using Datagram Transport Layer Security (DTLS).
The undo capwap dtls control-link encrypt command disables the function of encrypting the CAPWAP control tunnel using DTLS.
By default, the function of encrypting the CAPWAP control tunnel using DTLS is disabled.
Usage Scenario
In the Discovery phase of the CAPWAP tunnel establishment between the AP and the AC, the AP obtains the AC IP address using the discovery mechanism. Then in the DTLS negotiation phase, the CAPWAP tunnel encrypts UDP packets using DTLS.
After this command is run, the CAPWAP control packets between the AP and AC are encrypted using DTLS, and the AP and AC use the PSK to perform DTLS negotiation. If the DTLS negotiation fails, the CAPWAP tunnel cannot be established.
Configuration Impact
After this command is run, the AP and AC reestablish a CAPWAP tunnel.
Precautions
When is enabled or APs are being upgraded, the status of DTLS encryption cannot be changed.
# Enable the function of encrypting the CAPWAP control tunnel using DTLS.
<HUAWEI> system-view [HUAWEI] capwap dtls control-link encrypt Warning: The DTLS PSK is the default one. It is recommended to change it to ensure security. Change it now?[Y/N]:y New PSK:Configuring the new PSK, waiting......................done. Warning: This operation may cause devices connected through CAPWAP to reset or go offline. Continue? [Y/N]:y