Licensing Requirements and Limitations for IPSec

Involved Network Elements

Other network elements are required to support IPSec.

A Huawei switch only works as the remote end in an efficient VPN. To implement the Efficient VPN function, another device is required to work as the Efficient VPN server.

Licensing Requirements

For details about how to apply for a license, see Obtaining Licenses in the S1720, S5700, and S6700 Series Switches License Usage Guide.

Feature Support in V200R019C10

All models of S2720, S5700, and S6700 series switches support IPSec.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

• The switch can process only the local traffic that is transmitted between itself and the remote end over an IPSec tunnel, and non-local traffic (such as traffic of the PCs connected to the switch) cannot be transmitted over an IPSec tunnel.
• Efficient VPN supports pre-shared key authentication, tunnel mode, and the ESP protocol only.
• When Efficient VPN is deployed, the device interconnected with a switch fragments and then encrypts packets before transmitting them over an IPSec tunnel.
• Packets are fragmented after being encrypted on an IPSec tunnel.
• When Efficient VPN uses IKEv1, only the aggressive mode is supported in negotiation phase 1.
• After Efficient VPN is deployed, the switch cannot encrypt packets forwarded by a switch.