Configuring the Efficient VPN Policies

Procedure

1. Run system-view

   The system view is displayed.

2. Run ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-plus } ]

   An Efficient VPN policy in client mode is created and the Efficient VPN policy view is displayed.

   By default, no Efficient VPN policy is created in the system.

   

   When IKEv2 is used, the device does not support the network-plus parameter.

3. Run security acl acl-number

   An ACL is referenced in the IPSec Efficient VPN policy.

   By default, no ACL is referenced.

   acl-number is an advanced ACL that has been created.

   If an ACL is referenced, the rule can only match IP packets, that is, permit ip.

   The remote device in client mode applies to the headquarters for an IP address to establish an IPSec tunnel with the Efficient VPN server. The source address in packets sent from the branch to the headquarters is the requested IP address, so ACLs are not required.

4. Run remote-address { ip-address | host-name host-name } { v1 | v2 }

   A peer address or a domain name in IKE negotiation is configured.

   By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.

   To improve network reliability, two devices can be deployed at the headquarters to connect to the branch gateway. In an IPSec policy, two IP addresses or domain names of the remote IKE peer can be configured on the branch gateway. The branch gateway first attempts to use the first configured IP address or domain name to establish an IKE connection with the headquarters gateway. If establishing an IKE connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection.

5. Run pre-shared-key cipher key

   The pre-shared key used by IKE peers to perform pre-shared key authentication is configured.

   By default, no pre-shared key is configured on IKE peers.

   The pre-shared key at the two ends must be the same.

6. Run dh { group14 | group19 | group20 | group21 }

   A Diffie-Hellman group used in IKE negotiation is configured.

   By default, group14 is used in IKE negotiation.

   The security levels of the following Diffie-Hellman groups are in descending order of priority: group21 > group20 > group19 > group14.

7. (Optional) Run local-id-type { fqdn | ip | key-id | user-fqdn }

   The local ID type used in IKE negotiation is set.

   By default, the IP address of the local end is used as the local ID.

   • ip: The IP address is configured by running the tunnel local command.
   • key-id: When the device functions as the remote end to communicate with a Cisco device in the Efficient VPN policy, you need to specify the key-id parameter in the command. Meanwhile, you also need to run the service-scheme command to specify the service scheme that the Cisco device uses.
   • fqdn or user-fqdn: The FQDN or User-FQDN is configured by running the ike local-name local-name command in the system view.

8. (Optional) Run remote-id id

   The remote ID for IKE negotiation is configured.

   By default, the remote ID for IKE negotiation is not configured.

9. (Optional) Run service-scheme service-scheme-name

   A server-end service scheme is configured in an Efficient VPN policy.

   By default, no server-end service scheme is configured in an Efficient VPN policy.

   If an AAA service scheme is configured in the Efficient VPN policy, you need to specify AAA the service scheme configured on the server before the server can authorize the remote device. Meanwhile, you also need to specify the key-id parameter in the local-id-type command. If the key-id parameter is not specified, the configuration does not take effect. If authorization is performed using the service scheme used on the server, this step is not required.

10. (Optional) Run tunnel local { ip-address | applied-interface }

    A local IP address is configured.

    By default, the local IP address is not configured.

    Generally, you do not need to configure a local IP address for an IPSec policy established in IKE negotiation mode. During SA negotiation, the device selects the local IP address according to a route.

    • If the IP address of an interface bound to an IPSec policy is variable or unknown, run the tunnel local ip-address command to specify the IP address of another interface such as a loopback interface as the local IP address or run the tunnel local applied-interface command to specify an interface IP address as the local IP address.
    • If an interface bound to an IPSec policy is configured with one primary IP address and multiple secondary IP addresses, run the tunnel local ip-address command to specify one IP address as the local IP address or run the tunnel local applied-interface command to specify the primary IP address of the interface as the local IP address.
    • If the local and remote ends have equal-cost routes, run the tunnel local { ip-address | applied-interface } command to specify the local IP address so that IPSec packets can be sent out from the specified interface.

11. (Optional) Run pfs { dh-group14 | dh-group19 | dh-group20 | group21 }

    The device is configured to use Perfect Forward Secrecy (PFS) in IPSec negotiation.

    By default, PFS is not used in IPSec negotiation.

    To improve the security of communication, you can configure the PFS to perform an additional DH exchange in the IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key.

12. (Optional) Run re-authentication interval interval

    The re-authentication interval is set.

    By default, IKEv2 does not perform re-authentication.

    In remote access, IPSec peers periodically send re-authentication packets, which reduces potential risks of attacks and improves IPSec network security.