Configuring Branches

This section describes how to configure the device when it functions as a Spoke on the DSVPN network.

Background

Figure 1 shows the typical DSVPN networking. In the figure, the mGRE tunnel interfaces, tunnel IP addresses, tunnel types, and tunnel-interface relationships are for reference only. Detailed configurations at your site may vary.

Figure 1 Typical DSVPN networking

Procedure

Choose Network > DSVPN > DSVPN.
Click Add in DSVPN List.
Select Branch in Deployed At.

Set basic information about branches (Spokes).

Parameter	Description
Policy Name	Name of the mGRE tunnel interface on the Spoke. mGRE tunnel interfaces on the same Spoke must have different names.
Zone	Security zone of the mGRE tunnel interface.
Private IP Address	IP address of the mGRE tunnel interface on the Spoke. 10.1.1.1/24 and 10.1.1.2/24 in Figure 1 are example values. NOTE: The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to permit the traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic. For details, see Switching the Source and Destination.
Public Address Configuration	Interface: Configure a WAN interface of the tunnel to specify the public IP address of tunnel-encrypted packets. IP address: Specify a public IP address of tunnel-encrypted packets.
Public Interface	Number of the WAN interface on the Spoke. This parameter is available when Public Address Configuration is set to Interface.
Public IP Address	IP address of the WAN interface on the Spoke, for example, 1.1.1.1 and 2.2.2.2 in Figure 1. This parameter is available when Public Address Configuration is set to IP Address.
Authentication Algorithm	None: Indicates that the authentication string is not used. plain: Transmits the authentication string in simple text. MD5: Indicates the MD5 algorithm used for encryption during the transmission of the authentication string. SHA1: Indicates the SHA1 algorithm used for encryption during the transmission of the authentication string. SHA-256: Indicates the SHA-256 algorithm used for encryption during the transmission of the authentication string. SHA-384: Indicates the SHA-384 algorithm used for encryption during the transmission of the authentication string. SHA-512: Indicates the SHA-512 algorithm used for encryption during the transmission of the authentication string. SHA1 is recommended for security reasons.
Authentication Key	Character string the Hub uses to authenticate a Spoke. When a Spoke registers with the Hub, the Hub uses the authentication key to authenticate the Spoke. To ensure that the Spoke can be authenticated by the Hub, set the same authentication key on the Spoke and Hub.

Set headquarters (Hub) information. Branches need to register with the headquarters and establish static mGRE tunnels with the headquarters.

Parameter	Description
Private IP Address	IP address of the mGRE tunnel interface on the Hub, 10.1.1.3 in Figure 1 is an example value. In the active/standby Hub backup scenario, the Spokes need to register with multiple Hubs. Click to configure multiple Hubs.
Public IP Address	IP address of the WAN interface on the Hub. 3.3.3.3 in Figure 1 is an example value. NOTE: The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to permit the traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic. For details, see Switching the Source and Destination.

Parameter

Description

Private IP Address

IP address of the mGRE tunnel interface on the Hub, 10.1.1.3 in Figure 1 is an example value.

In the active/standby Hub backup scenario, the Spokes need to register with multiple Hubs. Click to configure multiple Hubs.

Public IP Address

IP address of the WAN interface on the Hub. 3.3.3.3 in Figure 1 is an example value.

NOTE:

The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to permit the traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic. For details, see Switching the Source and Destination.

Configure routing information for Spokes.

DSVPN advertises branch routes to the headquarters in the following modes.

Advertising branch routes through OSPF

Parameter	Description
Route Advertisement Mode	Select OSPF.
Network Address	Subnet IP addresses to be added to the OSPF domain. A Spoke needs to advertise its private subnet IP address to other Spokes. Therefore, enter the private subnet of each branch here. For example, in Figure 1, when you configure Spoke1, you need to enter 192.168.1.0/24 here.
Route Learning Method	The DSVPN network supports two route learning schemes: Route Learning from Each Other If this scheme is used, Spokes establish dynamic mGRE tunnels in Non-Shortcut mode. Route Aggregation to the Headquarters If this scheme is used, Spokes establish dynamic mGRE tunnels in Shortcut mode. If a network has a small number of Spokes and each Spoke needs to store only a few routes, you can select Route Learning from Each Other. If the network scale is large and has a large number of Spokes, select Route Aggregation to the Headquarters. NOTE: On a DSVPN network, all Spokes and Hubs must use the same route learning scheme. Otherwise, tunnels cannot be established.

Parameter

Description

Route Advertisement Mode

Select OSPF.

Network Address

Subnet IP addresses to be added to the OSPF domain.

A Spoke needs to advertise its private subnet IP address to other Spokes. Therefore, enter the private subnet of each branch here. For example, in Figure 1, when you configure Spoke1, you need to enter 192.168.1.0/24 here.

Route Learning Method

The DSVPN network supports two route learning schemes:

Route Learning from Each Other
If this scheme is used, Spokes establish dynamic mGRE tunnels in Non-Shortcut mode.
Route Aggregation to the Headquarters
If this scheme is used, Spokes establish dynamic mGRE tunnels in Shortcut mode.

If a network has a small number of Spokes and each Spoke needs to store only a few routes, you can select Route Learning from Each Other. If the network scale is large and has a large number of Spokes, select Route Aggregation to the Headquarters.

NOTE:

On a DSVPN network, all Spokes and Hubs must use the same route learning scheme. Otherwise, tunnels cannot be established.

Advertising branch routes using the reverse route injection function: send branch private network addresses in NHRP messages to the headquarters. The headquarters analyzes the NHRP message to obtain the branch private network address and adds a static route to the private subnet. The destination address of the route is the private network address in the NHRP message, and the next hop is the tunnel IP address of the branch.

Parameter	Description
Route Advertisement Mode	Select HQ learning reverse routes from branches. NOTE: Select HQ learning reverse routes from branches for Route Advertisement Mode of the branch and the headquarters. Otherwise, the headquarters cannot learn the private routes of the branch.
Network Address	Enter the private subnet of the branch. For example, in Figure 1, when you configure Spoke1, you need to enter 192.168.1.0/24 here.
Destination Network Address	Enter the private subnets of the headquarters and other branches. For example, in Figure 1, when you configure Spoke_A, you need to enter 192.168.2.0/24 and 192.168.3.0/24 here.

Optional: Configure IPSec.

The mGRE tunnels do not provide the encryption function and therefore cannot ensure communication security. To protect the data transmitted between the headquarters and branches or between branches, deploy IPSec on the DSVPN.

Enable IPSec and set IPSec authentication parameters.

Parameter	Description
IPSec	Enable IPSec.
Authentication Type	The two ends of an IPSec tunnel need to authenticate each other. On a DSVPN network, IPSec supports authentication using a pre-shared key or a certificate.
Pre-Shared Key	If Authentication Type is set to Pre-Shared Key, you need to set this parameter. Enter the pre-agreed key.
Certificate	If Authentication Type is set to Certificate, you need to set this parameter. Select the public key certificate of the local end. Some information in the certificate will be sent to the peer end to authenticate the local end during tunnel establishment. The local end also requests for certificate information of the peer. For details on how to upload a certificate, see Local Certificate.

Complete advanced IPSec configuration.

IPSec has some default advanced settings. You can use the default settings or change them as required.

Set IKE proposal negotiation parameters.

Parameter	Description
IKE Version	Select v1 or v2 to specify the protocol version for IKE negotiation with the peer end. The protocol versions on the two ends must be the same. If you select both v1 and v2, the tunnel end can process IKEv1 and IKEv2 requests, but only IKEv2 can be used to initiate requests.
Negotiation Mode	Select an IKE negotiation mode. Automatic: Both the main mode and aggressive mode can be used to respond to negotiation requests, but only the main mode can be used to initiate negotiation requests. Main: Only the main mode is allowed. This mode is more secure than the aggressive mode. Aggressive: Only the aggressive mode is allowed. This mode is quicker than the main mode.
Encryption	Select an encryption algorithm.
Authentication	Select an authentication algorithm.
Integrity Hash	If IKE Version is set to v2, you need to set this parameter. Select an integrity verification algorithm.
PRF	If IKE Version is set to v2, you need to set this parameter. Select the PRF authentication algorithm.
DH Group	Select a key exchange method.
SA Timeout	Set the IKE SA lifetime. When the lifetime is about to expire, the FW negotiates a new SA. The new SA will immediately replace the old SA once it is established.

Set IPSec proposal negotiation parameters.

Parameter	Description
Encapsulation Mode	Select an IPSec encapsulation mode. Automatic: Both the transport mode and tunnel mode can be used to respond to negotiation requests, but only the tunnel mode can be used to initiate negotiation requests. Tunnel: It is usually used in establishing tunnels between the VPN gateways. Transport: It is used in establishing tunnels between mobile devices and the VPN gateway.
Security Protocol	Select an IPSec protocol. AH: authenticates an entire packet but does not encrypt it. ESP: authenticates and encrypts the payload of a packet. AH-ESP: authenticates and encrypts an entire packet.
ESP Encryption	If Security Protocol is set to ESP or AH-ESP, you need to set this parameter. Select an encryption algorithm.
ESP Authentication	If Security Protocol is set to ESP or AH-ESP, you need to set this parameter. Select an authentication algorithm.
AH Authentication	If Security Protocol is set to AH or AH-ESP, you need to set this parameter. Select an authentication algorithm.
PFS	Select a key exchange method. The DH key with a larger group number is longer and more secure. If you select NONE, no extra key exchange is performed.
SA Timeout	IPSec tunnels will be renegotiated when the renegotiation interval or traffic volume reaches the threshold. Enter a value in Based on Time to specify the renegotiation interval. Enter a traffic threshold in Based on Traffic. After an IPSec tunnel is established, the IPSec SA will start renegotiation if one of the preceding conditions is met. Renegotiation does not interrupt the existing tunnel.

Configure dead peer detection (DPD).

Parameter	Description
Detection Mode	After DPD is enabled, the device automatically sends DPD packets to check whether the remote end is alive to ensure timely removal of invalid tunnels. Two detection modes are available: Periodic: The device sends a DPD packet if it does not receive any reply from the remote end within the Detection Interval. On-Demand: If the device does not receive any reply from the remote end within the Detection Interval and the device needs to communicate with the remote end, the device sends a DPD packet. If a tunnel uses IKEv1, you must enable or disable DPD on both ends of the tunnel. If the device does not receive any reply from the remote end within the Detection Interval after sending a DPD packet, the device considers the event as a failure. After five consecutive failures, the device will regard the remote end as invalid and removes the tunnel between itself and the remote end. In a tunnel uses IKEv2, you can enable DPD on either end of the tunnel. The interval for sending DPD packets is not the Detection Interval. Instead, it increases exponentially (after sending DPD packet 1, the device sends packet 2 after an interval of one second, packet 3 after an interval of two seconds, packet 4 after an interval of four seconds, packet 5 after an interval of eight seconds, and so on) until packet 8 is sent at the interval of 64 seconds. If the device still does not receive any reply packet in the 128 seconds after forwarding packet 8, the device automatically removes the tunnel. The entire process lasts for about half an hour.
Detection Interval	Enter a value in Detection Interval. The unit is seconds.
Retry Interval	Enter a value in Retry Interval. The unit is seconds. The setting takes effect only for IKEv1.

Parameter

Description

Detection Mode

After DPD is enabled, the device automatically sends DPD packets to check whether the remote end is alive to ensure timely removal of invalid tunnels.

Two detection modes are available:

Periodic: The device sends a DPD packet if it does not receive any reply from the remote end within the Detection Interval.
On-Demand: If the device does not receive any reply from the remote end within the Detection Interval and the device needs to communicate with the remote end, the device sends a DPD packet.

If a tunnel uses IKEv1, you must enable or disable DPD on both ends of the tunnel. If the device does not receive any reply from the remote end within the Detection Interval after sending a DPD packet, the device considers the event as a failure. After five consecutive failures, the device will regard the remote end as invalid and removes the tunnel between itself and the remote end.

In a tunnel uses IKEv2, you can enable DPD on either end of the tunnel. The interval for sending DPD packets is not the Detection Interval. Instead, it increases exponentially (after sending DPD packet 1, the device sends packet 2 after an interval of one second, packet 3 after an interval of two seconds, packet 4 after an interval of four seconds, packet 5 after an interval of eight seconds, and so on) until packet 8 is sent at the interval of 64 seconds. If the device still does not receive any reply packet in the 128 seconds after forwarding packet 8, the device automatically removes the tunnel. The entire process lasts for about half an hour.

Detection Interval

Enter a value in Detection Interval. The unit is seconds.

Retry Interval

Enter a value in Retry Interval. The unit is seconds. The setting takes effect only for IKEv1.

Click OK.