(Optional) Configuring Network Resource Delivery

Context

When multiple branches connect to the headquarters, you can deploy network resources include IP address, DNS server IP address, and NBNS server address on the headquarters gateway. When branch gateways initiate IKEv2 negotiation and establish an IPSec tunnel with the headquarters gateway, the headquarters gateway can push these network resources to the branch gateways using IKEv2, simplifying the configuration and maintenance of IPSec and network sources of the branch gateways.

The headquarters gateway can push network resources using the following modes:

Service scheme

In a service scheme, the network resources including the IP address, domain name, and DNS server address can be defined on the headquarters gateway. Then the headquarters gateway pushes the network resources to branch gateways.
IKE user table

For IKE users in an IKE user table, the IP address and DNS server address can be configured on the headquarters gateway. Then the headquarters gateway pushes the network resources to branch gateways.

When the headquarters gateway uses an IPSec policy that is created using an IPSec policy template, using an IKE user table can differentiate network resources of different branches. The IKE user table mode takes precedence over the service scheme mode.

The following network resource delivery modes are listed in descending order of priority: IKE user table, RADUIS server authorization, and service scheme.

When a branch applies for an IP address and obtains some other network resources, such as a DNS server address and NBNS server address, it does not apply for the remaining network resources using other modes. If the RADIUS server authorization mode is used, and the RADIUS server does not allocate an IP address to the branch, the branch applies for an IP address from the IP pool of the headquarters. If the branch still does not obtain an IP address, it applies for an IP address from the service scheme of the headquarters.

If a branch applies for only other network resources (excluding an IP address) and obtains some of these resources, the branch does not apply for the remaining network resources using other modes. If the RADIUS server authorization mode is used, the branch applies for the remaining network resources from the service scheme of the headquarters. If the branch does not obtain the remaining network resources, it applies for these resources from the IP pool of the headquarters.

IPSec IPv6 does not support network resource delivery.

Procedure

Create a service scheme.
1. Run system-view
  
  The system view is displayed.
2. Run ike peer peer-name
  
  An IKE peer is created and the IKE peer view is displayed.
3. Run service-scheme service-scheme-name
  
  A service scheme is bound to the IKE peer.
  
  By default, no service scheme is bound to an IKE peer.
  
  service-scheme-name specifies a service scheme that has been created using the service-scheme (AAA view) command.
Create an IKE user table.
1. Run system-view
  
  The system view is displayed.
2. Run ike user-table user-table-id
  
  An IKE user table is created and its view is displayed, or the view of an existing IKE user table is displayed directly.
3. Run user user-name
  
  An IKE user is created and its view is displayed, or the view of an existing IKE user is displayed directly.
4. Configure network resources to be pushed.
  - Run the ip-alloc ipv4-address mask ip-mask command to configure an IP address allocated to an IKE user.
    
    By default, the IP address allocated to an IKE user is not configured.
  - Run the dns ipv4-address1 [ ipv4-address2 ] command to configure a DNS server address allocated to an IKE user.
    
    By default, the DNS server address allocated to an IKE user is not configured.
5. Run quit
  
  Return to the IKE user table view.
6. Run quit
  
  Return to the system view.
7. Run ike peer peer-name
  
  The IKE peer view is displayed.
8. Run user-table user-table-id
  
  The IKE user table is referenced in the IKE peer.