The ipsec efficient-vpn command creates an IPSec Efficient VPN policy and displays the IPSec Efficient VPN policy view.
The undo ipsec efficient-vpn command deletes an IPSec Efficient VPN policy.
By default, no IPSec Efficient VPN policy is created in the system.
ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-plus } ]
undo ipsec efficient-vpn efficient-vpn-name
Parameter |
Description |
Value |
|---|---|---|
efficient-vpn-name |
Specifies the name of an Efficient VPN policy. |
The value is a string of 1 to 12 case-sensitive characters without question marks (?) or spaces. |
| mode | Specifies the mode of the Efficient VPN policy. |
- |
client |
Indicates the client mode. |
- |
network |
Indicates the network mode. |
- |
network-plus |
Indicates the network-plus mode. |
- |
Usage Scenario
When many branches and traveling staff connect to the headquarters over IPSec tunnels, similar or duplicate IPSec configurations and other network resource configurations must be configured on the branch and headquarters gateways. The Efficient VPN solution uses centralized IPSec configurations on the headquarters gateway and simplified IPSec configuration on each branch gateway. This solution reduces the manual configuration workload, and facilitates IPSec VPN configuration and maintenance.
The Efficient VPN policy has the following modes:
Client mode
When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface. The remote device uses this IP address to establish an IPSec tunnel with the headquarters.
The client mode applies to scenarios where small-scale branches connect to the headquarters network through private networks. In client mode, devices connected to the Efficient VPN server or remote devices can use the same IP address. However, the number of devices allowed depends on the number of IP addresses assigned by the Efficient VPN server.
Network mode
In network mode, a remote device does not apply to the Efficient VPN server for an IP address. Instead, the remote device uses the original IP address to establish an IPSec tunnel with the headquarters.
The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.
Network-plus mode
Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, Telnet, or other management and maintenance operations on the remote device.
Follow-up Procedure
Configure negotiation parameters of Efficient VPN in the Efficient VPN policy view, and use the ipsec efficient-vpn (interface view) command to bind the Efficient VPN policy to an interface.