Configuring an IPSec Tunnel Interface

Context

A virtual tunnel interface is a Layer 3 logical interface. The device provides IPSec protection for logical Generic Routing Encapsulation (GRE) or IPSec interfaces. An IPSec tunnel interface is created based on IKE negotiation. You can configure an IPSec tunnel interface and apply an IPSec profile to the tunnel interface to establish an IPSec tunnel. After an IPSec profile is applied to the tunnel interface, only one IPSec tunnel is established through negotiation to protect all the data flows passing through the tunnel interface.

The IP address of an IPSec tunnel interface can be manually configured or dynamically requested through IKEv2 negotiation. Dynamically requesting an IP address of the IPSec tunnel interface through IKEv2 negotiation reduces the configuration and maintenance workload of branch devices when many branches connect to the headquarters.

When multiple branches connect to the headquarters, multiple tunnel interfaces in the headquarters borrow the same physical interface IP address. In this scenario, the headquarters can identify the tunnel interface connected to a branch through the peer IP address or peer ID of the IKE peer (Only IKEv1 in aggressive mode supports the peer ID mode.). If you run the destination command on a tunnel interface of the headquarters to specify the IP address of a branch interface, the headquarters preferentially uses this IP address to identify the access of the branch.

When multiple branches are connected to the headquarters, if some tunnel interfaces at the headquarters borrow an IP address from a physical interface and borrow an IP address from a physical interface as their source address, the mappings between IKE peers and tunnel interfaces may be incorrect. As a result, an IPSec tunnel fails to be established.

Procedure

Run system-view
The system view is displayed.
Run interface tunnel interface-number
The tunnel interface view is displayed.
Run tunnel-protocol { gre [ p2mp ] | ipsec }
The encapsulation mode of a tunnel interface is configured.
An IPSec profile can be bound to an IPSec tunnel interface only when the tunnel encapsulation mode is set to IPSec or GRE:
- IPSec: An IPSec tunnel established on an IPSec tunnel interface ensures security of unicast data transmitted on the Internet.
- GRE: The IPSec tunnel interface provides GRE over IPSec function and transmits unicast and multicast data. The IPSec tunnel interface first adds a GRE header to packets, and then adds an IPSec header to the packets so that packets can be reliably transmitted.
- mGRE (specified by gre and p2mp): The IPSec tunnel interface provides Dynamic Smart Virtual Private Network (DSVPN) functions. For details, see Configuring DSVPN-CLI.
Run ip address ip-address { mask | mask-length } [ sub ]
A private IPv4 address is configured.
Run source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type interface-number }
The source address or source interface is configured.

You can specify the vpn-instance vpn-instance-name parameter only when the encapsulation mode of a tunnel interface is set to IPSec .

If the source address of a tunnel interface is an IP address dynamically obtained by another interface, you are advised to specify the source interface to prevent the dynamic IP address from affecting IPSec configuration.

The source tunnel interface must be a Layer 3 interface.
(Optional) Run destination [ vpn-instance vpn-instance-name ] dest-ip-address
The destination address is configured.

When the destination address of an IPSec tunnel interface is not configured, the remote address of the IKE peer referenced by an IPSec profile can be used to initiate negotiation. When the destination address of an IPSec tunnel interface and remote address of an IKE peer are not configured, the local end can only accept the negotiation request initiated by the remote end.

If the encapsulation mode of a tunnel interface is set to IPSec, you can configure the destination address at one end only. If the encapsulation mode of a tunnel interface is set to GRE, you need to configure destination addresses at both ends.
Run ipsec profile profile-name [ alone | master | slave ]
An IPSec profile is applied to the tunnel interface.

By default, no IPSec profile is applied to a tunnel interface.

Only one IPSec profile can be applied to a tunnel interface, and an IPSec profile can be applied to only one tunnel interface.

If a tunnel interface in the root system is bound to a virtual system, the IPSec profile in the root system cannot be applied to this tunnel interface.

Follow-up Procedure

Modifying the source or destination parameter on a tunnel interface will clear the IPSec profile applied to the tunnel interface. You need to apply the IPSec profile to the tunnel interface again.