< Home

tunnel local

Function

The tunnel local command specifies the local address of an IPSec tunnel.

The undo tunnel local command cancels the configuration.

By default, no local IP address is configured for the IPSec tunnel.

Format

tunnel local { ipv4-address | ipv6-address | applied-interface }

undo tunnel local

Parameters

Parameter Description Value
ipv4-address Specifies an IPv4 address for the local end of an IPSec tunnel. The value is in dotted decimal notation.
ipv6-address Specifies an IPv6 address for the local end of an IPSec tunnel.
NOTE:
The device does not support this parameter in manual IPSec policy view.
 The value is in colon hexadecimal notation.
applied-interface Indicates the primary IP address of the IPSec-enabled interface is used as the local address of an IPSec tunnel.
NOTE:
This parameter takes effect only in the ISAKMP IPSec policy view.
 -

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to specify a start point for an IPSec tunnel.

For a manually created IPSec policy, you must run the tunnel local ipv4-address command to configure an IP address for the local end before you can create an SA. Only after correct IP addresses are configured for the local end (start point) and remote end (end point), an IPSec tunnel can be established between the two ends.

For the IKE negotiation mode, you do not need to configure an IP address for the local end of an IPSec tunnel. During SA negotiation, the device will select a proper address based on route information. The local address needs to be configured in the following situations:
  • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local { ipv4-address | ipv6-address } command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the IP address of the interface to which an IPSec policy is applied as the local address of an IPSec tunnel.
  • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local { ipv4-address | ipv6-address } command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the primary IP address of the interface as the local address of an IPSec tunnel.
  • If equal-cost routes exist between the local and remote ends, run the tunnel local command to specify a local IP address for an IPSec tunnel.

Precautions

  • If an IPSec policy is created manually, tunnel local on the local end must be the same as the tunnel remote on the remote end.

  • If an IPSec policy is created in IKE negotiation mode, the tunnel local on the local end must be the same as remote-address that the remote end references from the IKE peer.

  • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.

  • When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.

  • If both tunnel local and remote-address are configured, IP addresses of the same version must be specified.

  • In an IPSec hot standby scenario, tunnel local must be set to a virtual IP address.

Example

# Set the local IP address of the IPSec tunnel to 10.1.1.1 in the manual IPSec policy view.
<sysname> system-view
[sysname] ipsec policy policy1 100 manual
[sysname-ipsec-policy-manual-policy1-100] tunnel local 10.1.1.1
# Set the primary IP address of the interface to which the IPSec policy in IKE negotiation mode is applied as the local IP address of the IPSec tunnel.
<sysname> system-view
[sysname] ipsec policy policy1 100 isakmp
[sysname-ipsec-policy-isakmp-policy1-100] tunnel local applied-interface
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >