09 Command Manual VPN

Command Manual – VPNVRP1.7 Table of Contents

Table of Contents

Chapter 1 L2TP Configuration Commands...............................................................................1-1

1.1 L2TP Configuration Commands.......................................................................................1-1

1.1.1 allow l2tp virtual-template......................................................................................1-1

1.1.2 debugging l2tp.......................................................................................................1-2

1.1.3 display l2tp session...............................................................................................1-3

1.1.4 display l2tp tunnel..................................................................................................1-3

1.1.5 l2tp domain............................................................................................................1-4

1.1.6 l2tp enable.............................................................................................................1-5

1.1.7 l2tp match-order....................................................................................................1-6

1.1.8 l2tp session-limit....................................................................................................1-7

1.1.9 l2tp-group..............................................................................................................1-8

1.1.10 mandatory-chap...................................................................................................1-8

1.1.11 mandatory-lcp......................................................................................................1-9

1.1.12 ppp l2tp-used.....................................................................................................1-10

1.1.13 reset l2tp tunnel.................................................................................................1-11

1.1.14 start l2tp.............................................................................................................1-11

1.1.15 tunnel authentication.........................................................................................1-13

1.1.16 tunnel avp-hidden..............................................................................................1-14

1.1.17 tunnel flow-control.............................................................................................1-14

1.1.18 tunnel name.......................................................................................................1-15

1.1.19 tunnel password................................................................................................1-16

1.1.20 tunnel timer hello...............................................................................................1-17

Chapter 2 GRE Configuration Commands................................................................................2-1

2.1 GRE Protocol Configuration Commands.........................................................................2-1

2.1.1 destination.............................................................................................................2-1

2.1.2 display interfaces...................................................................................................2-1

2.1.3 gre checksum........................................................................................................2-2

2.1.4 gre key................................................................................................................... 2-3

2.1.5 gre sequence-datagrams.......................................................................................2-4

2.1.6 interface tunnel......................................................................................................2-5

2.1.7 source.................................................................................................................... 2-5

2.1.8 ip fast-forwarding (Tunnel Interface View).............................................................2-6

Huawei Technologies Proprietary

i

Command Manual – VPNVRP1.7 Chapter 1 L2TP Configuration Commands

Chapter 1 L2TP Configuration Commands

1.1 L2TP Configuration Commands

1.1.1 allow l2tp virtual-template

Syntax

allow l2tp virtual-template virtual-template-number [ remote remote-name ]

undo allow

View

L2TP group view

Parameter

virtual-template-number: Number of the virtual template, which is an integer in the

range from 1 to 25.

remote-name: Name of a remote tunnel originating a tunnel connecting request. It is a

case-sensitive character string with the length ranging from 1 to 30 characters.

Description

Using the allow l2tp virtual-template command, you can configure the name of the

remote tunnel when accepting the call and the virtual template to be used. Using the

undo allow command, you can cancel the name of the remote tunnel.

By default, no call can be dialed in.

This command can only be configured on LNS. It is a required configuration.

When L2TP group 1 (default L2TP group number) is used, it is permitted to configure

group 1 without specifying remote-name, and the format of this command is:

allow l2tp virtual-template virtual-template-number [ remote remote-name ]

If the remote name is specified in L2TP group 1 view, then L2TP group 1 does not

serve as the default L2TP group. In Windows 2000 beta 2, for example, the local

tunnel name for the VPN connection is NONE, and the peer name received by the

router is NONE. A default L2TP group can be configured in order to receive a tunnel

connecting request originated by an unknown peer-end, or just for test purpose.

If the name of remote tunnel is configured, make sure that the name of remote tunnel

is in accordance with the name of the local end configured on LAC.

For related commands, see l2tp-group.


1


Example

# Allow a L2TP tunnel connecting request from the peer-end (LAC) named AS8010

on L2TP group 2, and creates a virtual-access interface on virtual-template 1.

[Router-l2tp2] allow l2tp virtual-template 1 remote AS8010

# Take L2TP group 1 as the default L2TP group to allow the L2TP tunnel connecting

requests from any peer-end, and creates a virtual-access interface according to

virtual-template 1.

[Router] l2tp-group 1

[Router-l2tp1] allow l2tp virtual-template 1

1.1.2 debugging l2tp

Syntax

debugging l2tp { all | control | error | event | hidden | payload | time-stamp }

undo debugging l2tp { all | control | error | event | hidden | payload | time-stamp

}

View

Any view

Parameter

all: Enable all the L2TP information debugging.

control: Enable the control packet debugging.

error: Enable the error information debugging.

event: Enable the event debugging.

hidden: Hide start information debugging of AVP.

payload: Enable the L2TP datagram debugging.

time-stamp: Enable the debugging for displaying time stamps.

Description

Using the debugging l2tp command, you can enable the L2TP information

debugging. Using the undo debugging l2tp command, you can disable the L2TP

information debugging.

Example

# Enable the L2TP control packet debugging.

[Router] debugging l2tp control


2


1.1.3 display l2tp session

Syntax

display l2tp session

View

Any view

Parameter

None

Description

Using the display l2tp session command, you can view the information about the

current L2TP session.

For related commands, see display l2tp tunnel.

Example

# Display the information of the current L2TP session.

[Router] display l2tp session

LocoalID RemoteID TunnelID

1 1 2

Total session = 1

Table 1-1 Description of fields in display l2tp session

Field Description

Total session Number of sessions

LocalID Local ID uniquely identifying a session

RemoteID Remote ID uniquely identifying a session

TunnelID Tunnel ID

1.1.4 display l2tp tunnel

Syntax

display l2tp tunnel

View

Any view


3


Parameter

None

Description

Using the display l2tp tunnel command, you can view the information about the

current L2TP tunnel.

For related commands, see display l2tp session.

Example

# Display the information of the current L2TP tunnel.

[Router] display l2tp tunnel

LocalID RemoteID RemName RemAddress Sessions Port

1 8 AS8010 172.168.10.2 1 1701

Total tunnels = 1

Table 1-2 Description of the fields in display l2tp tunnel

Field Description

Total tunnels Number of tunnels

LocalID Local ID uniquely identifying a tunnel

RemoteID Remote ID uniquely identifying a tunnel

RemName Remote name

RemAddress Remote IP address

Sessions Number of sessions at the tunnel port

Port Remote port number

1.1.5 l2tp domain

Syntax

l2tp domain { prefix-separator | suffix-separator } delimiters

undo l2tp domain { prefix-separator | suffix-separator } delimiters

View

System view


4


Parameter

prefix-separator: Indicate that the specified delimiter is a prefix, such as

huawei.com#yaoxin.

suffix-separator: Indicate that the specified delimiter is a suffix, such as

[email protected].

delimiters: Identify the domain delimiter; including '%', '@', '# ', and '/'. The string is of

1 to 4 characters.

Description

Using the l2tp domain command, you can configure the delimiter to be a prefix or

suffix. Using the undo l2tp domain command, you can cancel the configured prefix

or suffix delimiter.

By default, no domain delimiters serving as prefixes or suffixes exist.

This command is only used on LAC and it is an optional configuration.

The l2tp domain prefix-separator command is used to specify one or multiple

domain delimiters serving as prefix. Likewise, the l2tp domain suffix-separator

command is used to specify one or multiple domain delimiters serving as suffix.

Based on the first delimiter which makes the delimitation successfully, the domain

name can be separated from the username through a domain delimiter. Thereby, you

can search among the domain names specified by the VPDN using the start l2tp

command to check if such a domain name exists. If yes, it indicates the user is a VPN

user, so it is necessary to set up a VPN tunnel connection with the LNS to which the

user belongs.

A character serving as a prefix delimiter cannot serve as a suffix delimiter any longer

and vice versa. More specifically, a character cannot serve as a prefix and a suffix

delimiter at the same time.

For related commands, see start l2tp.

Example

# Set the domain name to be the prefix that is separated from the username by the

symbol “#”.

[Router] l2tp domain prefix-separator #

# Delimit the suffix by using multiple delimiters, such as @, and %.

[Router] l2tp domain suffix-separator @%


5


1.1.6 l2tp enable

Syntax

l2tp enable

undo l2tp enable

View

System view

Parameter

None

Description

Using the l2tp enable command, you can enable the VPDN function. Using the undo

l2tp enable command, you can disable the VPDN function.

By default, the VPDN function is disabled.

This command can be used on both LAC and LNS, which is a required configuration.

The l2tp enable command is used to enable the VPDN function. The VPN services

can only be carried out after this function is enabled.

For related commands, see l2tp-group.

Example

# Enable the VPDN function on a router.

[Router] l2tp enable

1.1.7 l2tp match-order

Syntax

l2tp match-order { dnis-domain | dnis | domain-dnis | domain }

undo l2tp match-order

View

System view

Parameter

dnis-domain: Search for the L2TP group according to the dialed number before

according to the domain name.

dnis: Search for the L2TP group according to the dialed number only.


6


domain-dnis: Search for the L2TP group according to the domain name before

according to the dialed number.

domain: Search for the L2TP group according to the domain name only.

Description

Using the l2tp match-order command, you can configure the searching order of the

dialed number and the domain name criteria. Using the undo l2tp match-order

command, you can restore the default searching order.

By default, the searching is carried out according to the dialed number before

according to the domain name, that is, the key word dnis-domain is adopted.

This command is only used on LAC, and it is an optional configuration.

When there are a large number of L2TP accessing users, searching for the user in

order is time-consuming. In this case, necessary search policy should be set (like the

prefix/suffix delimiter) through the l2tp match-order command to speed up the

searching. In an actual searching process, the search is conducted according to the

full username before according to the configuration order of this command.

There are two types of delimiters: prefix delimiter and suffix delimiter, including the

following four special characters: @, # , &, and /. For example, huawei.com#vpdnuser

is a user with a prefix delimiter, and [email protected] is a user with a suffix

delimiter. During the searching, the username and the prefix/suffix delimiter will be

separated, and the VPDN searching is only carried out according to the specified

rules, which greatly improves the searching speed.

For related commands, see l2tp domain.

Example

# Conduct the searching according to the domain name only.

[Router] l2tp match-order domain

1.1.8 l2tp session-limit

Syntax

l2tp session-limit session-number

undo l2tp session-limit

View

System view


7

mailto:[email protected]


Parameter

session-number: The maximum number of L2TP sessions at the local end, which is

an integer in the range from 1 to 2000. By default, the maximum number of sessions

is 1000.

Description

Using the l2tp session-limit command, you can configure the maximum number of

L2TP sessions at the local end. Using the undo l2tp session-limit command, you

can restore the default maximum number of L2TP sessions at the local end.

This command can be used on both LAC and LNS, and is an optional configuration.

The maximum number of sessions at the local end can be configured on both LNS

and LAC, but the actually created number of session connections depends on the

smaller one between them.

For related commands, see display l2tp session.

Example

# Configure the maximum number of L2TP sessions on LNS to 1500.

[Router] l2tp session-limit 1500

1.1.9 l2tp-group

Syntax

l2tp-group group-number

undo l2tp-group group-number

View

System view

Parameter

group-number: L2TP group number, which is an integer in the range from 1 to 1000.

Description

Using the l2tp-group command, you can create a L2TP group. Using the undo l2tp-

group command, you can cancel a L2TP group.

By default, no L2TP group is created.

This command can be used on both LAC and LNS,. It is a required configuration..

The l2tp-group command is used to create a L2TP group. L2TP group 1 can serve

as the default L2TP group. After the L2TP group is deleted by using the undo l2tp-

group command, all the configuration information of this group will be deleted.


8


For related commands, see allow l2tp virtual-template, start l2tp.

Example

# Create L2TP group 2, and enters the L2TP group 2 view.

[Router] l2tp-group 2

[Router-l2tp2]

1.1.10 mandatory-chap

Syntax

mandatory-chap

undo mandatory-chap

View

L2TP group view

Parameter

None

Description

Using the mandatory-chap command, you can force the performing of the CHAP re-

authentication between LNS and Client. Using the undo mandatory-chap command,

you can disable the CHAP re-authentication.

By default, the CHAP re-authentication is not performed.

This command can only be used on LNS and is an optional configuration.

After LAC implements the proxy authentication on Client, LNS re-authenticates the

Client to improve the security. If the mandatory-chap command is used, the VPN

clients that connect with access server via initial tunnel will undergo twice

authentications: one is between clients and NAS (Network Access Server), and the

other is between clients and LNS (L2TP Network Server). If some PPP Clients do not

support re-authentication, the local CHAP authentication may fail.

For related commands, see mandatory-lcp.

Example

# Force the performing of the CHAP re-authentication. in L2TP group 1.

[Router-l2tp1] mandatory-chap


9


1.1.11 mandatory-lcp

Syntax

mandatory-lcp

undo mandatory-lcp

View

L2TP group view

Parameter

None

Description

Using the mandatory-lcp command, you can enable the LCP (Link Control Protocol)

re-negotiation between LNS and Client. Using the undo mandatory-lcp command,

you can disable the LCP re-negotiation.

By default, no LCP re-negotiation is conducted in the system.

This command can be used on LNS only, and is an optional configuration.

A Client of NAS-Initiated VPN will carry out the PPP negotiation with the NAS at the

start of a PPP session. If the negotiation succeeds, the NAS will initialize the tunnel

connection, and transfer to LNS the information received through negotiating with the

client. LNS can judge the validity of the user according to the received proxy

authentication information. The mandatory-lcp command can be used to force the

LCP re-negotiation between LNS and Client, ignoring the proxy authentication

information of NAS. If some PPP Clients do not support the LCP re-negotiation, the

process of the LCP re-negotiation will fail.

For related commands, see mandatory-chap.

Example

# Enable the LCP re-negotiation in L2TP group 1.

[Router-l2tp1] mandatory-lcp

1.1.12 ppp l2tp-used

Syntax

ppp l2tp-used

undo ppp l2tp-used


10


View

Interface view

Parameter

None

Description

Using the ppp l2tp-used command, you can restrict the use of the PPP-encapsulated

interface to L2TP application. Using the undo ppp l2tp-used command, you can

disable the configuration.

By default, the use of the interface is not restricted to L2TP application.

You must use this command in conjunction with the start l2tp by-radius command.

For the related command, see start l2tp by-radius.

Example

# Restrict the use of interface serial0 to L2TP application.

[Router] interface serial0

[Router-Serial0] ppp l2tp-used

1.1.13 reset l2tp tunnel

Syntax

reset l2tp tunnel remote-name

View

Any view

Parameter

remote-name: Name of the remote tunnel, which is a character string ranging from 1

to 30 characters.

Description

Using the reset l2tp tunnel command, you can reset the specified tunnel connection.

Using the undo reset l2tp tunnel command, you can disconnect all the sessions in

the tunnel.

This command is used to reset a tunnel connection by force. When a remote user

dials in again, the tunnel connection can be set up once more. You can decide the

tunnel connection to be cleared by specifying the name of a remote tunnel. If no

qualified tunnel connections that match the remote-name exist, the tunnel

connections in operation will not be affected. If there are multiple qualified tunnels


11


(with the same remote-name, but different IP addresses), the first qualified tunnel

connection will be cleared. The matching sequence referred here is the same as the

result of executing the display l2tp tunnel command.

For related commands, see display l2tp tunnel.

Example

# Clear a tunnel connection whose peer-end name is AS8010.

[Router] reset l2tp tunnel AS8010

1.1.14 start l2tp

Syntax

start l2tp { by-radius | ip ip-address [ ip ip-address … ] } { domain domain-name |

dnis dialed-number | full username user-name }

undo start l2tp [ ip ip-address ]

View

L2TP group view

Parameter

by-radius: Allows to send usernames and domain names to RADIUS servers for

authentication.

ip ip-address: Identify the IP address of the remote tunnel (LNS). A maximum of five

IP addresses can be configured, acting as the backup LNS for one another.

domain domain-name: Domain name of the user triggering the connection request,

which is a case-sensitive string of 1 to 30 characters.

dnis dialed-number: Number dialed by the user triggering the connection request,

which is a string of 1 to 64 characters.

full username user-name: Full name of the user triggering the connection request,

which is a case-sensitive string of 1 to 30 characters

Description

Using the start l2tp command, you can configure the triggering conditions for

originating a call when the local end servers as L2TP LAC end. Using the undo start

l2tp command, you can cancel the specified triggering conditions .

This command can only be used on LAC, which is .

This command is used to specify the IP address of LNS. It supports multiple methods

of connection triggering request.


12


A tunnel connecting request can be originated based on the domain name of the

user. For example, if the domain name of a company to which a user belongs is

huawei.com, then the user who contains this domain name can be specified as a

VPN user.

You can determine whether or not the user is a VPN user according to the dialed

numbers. For example, if the number 8810188 is specified as the special service

number, any accessing users dialing this number will be VPN users.

You can also specify a user to be a VPN user directly by the user’s full name.

You can have the system send the username or domain name to RADIUS

servers for authentication. If a delimiter is configured, only the domain name is

sent. If the RADIUS authentication passes, the system initiates connection based

on the properties delivered by the RADIUS server.

If the user is a VPN user, the local end (LAC) will send a L2TP tunnel connecting

request to one of the LNSs according to the LNS sequence configured. Once LAC

receives the response from LNS, this LNS will become the peer-end of the tunnel.

Otherwise, LAC will send the tunnel connecting request to the next LNS.

There may be conflicts between these methods of identifying VPN users. For

example, the LNS address specified based on full user names is 1.1.1.1, while that

based on the domain names is 1.1.1.2. In this case, it is necessary to specify the

order to search for VPN users. The searching sequence is as follow: First, check if

there is a L2TP group specified according to the full user names. If not, search

according to the order of the domain names. The searching order which bases on

domain name is set by the l2tp match-order command.

For related commands, see l2tp domain, l2tp match-order.

Note:

You can configure the start l2tp by-radius command only on L2TP-group 1 (the

default) and must use it in conjunction with the ppp l2tp-used command.

Example

# Identify VPN users in L2TP group 1 according to the domain name huawei.com.

The IP address of the corresponding LNS at its headquarters is 202.38.168.1.

[Router-l2tp1] start l2tp ip 202.38.168.1 domain huawei.com


13


1.1.15 tunnel authentication

Syntax

tunnel authentication

undo tunnel authentication

View

L2TP group view

Parameter

None

Description

Using the tunnel authentication command, you can enable the tunnel

authentication. Using the undo tunnel authentication command, you can disable the

tunnel authentication.

By default, the system will authenticate the L2TP tunnel.


Normally, both ends of the tunnel need to authenticate each other for security. Tunnel

authentication can be skipped in the case of testing network connectivity or receiving

connection originated from an unknown peer-end.

For related commands, see tunnel password, tunnel name.

Example

# Disable the authentication of the remote tunnel on L2TP group 1.

[Router-l2tp1] undo tunnel authentication

1.1.16 tunnel avp-hidden

Syntax

tunnel avp-hidden

undo tunnel avp-hidden

View

L2TP group view

Parameter

None


14


Description

Using the tunnel avp-hidden command, you can enable hiding AV (attribute value)

pairs. Using the undo tunnel avp-hidden command, you can disable hiding AV pairs.

By default, hiding AV pairs is disabled.


Upon configuration, the operation of hiding AV pairs makes sense only after tunnel

authentication and tunnel password are configured. When AV pairs are hidden, L2TP

hidden algorithm will be executed so that the username and password transmitted in

plain text during proxy authentication will be encrypted into AV pairs. Hiding AV pairs

in L2TP application is very useful when PAP or proxy authentication is used between

LAC and LNS.

In actual configuration, it is recommended to enable/disable hiding AV pairs on both

LAC and LNS at the same time.

Example

# Enable hiding AV pairs on L2TP group 1.

[Router-l2tp1] tunnel avp-hidden

1.1.17 tunnel flow-control

Syntax

tunnel flow-control receive-window size

undo tunnel flow-control receive-window

View

L2TP group view

Parameter

receive-window size: Specify the size of the receiving window of tunnel. It is an

integer in the range from 0 to 128. By default, the size of the receiving window of

tunnel flow control is 0, which means there is no flow control.

Description

Using the tunnel flow-control receive-window command, you can configure the

size of the receiving window of the tunnel so as to control the flow. Using the undo

tunnel flow-control receive-window command, you can restore the size of the

receiving window of the tunnel to the default value.



15


The tunnel flow-control receive-window command can be used to adjust the size

of the receiving window of tunnel. When congestion occurs at the destination end,

reduce the window size properly for the purpose of flow control.

Example

# Configure the tunnel receiving window of L2TP group 1 as 6.

[Router-l2tp1] tunnel flow-control receive-window 6

1.1.18 tunnel name

Syntax

tunnel name name

undo tunnel name

View

L2TP group view

Parameter

name: Identify the name of local tunnel. It is a string of 1 to 30 characters.

Description

Using the tunnel name command, you can configure the name of the local tunnel.

Using the undo tunnel name command, you can restore the local tunnel name to the

default value.

By default, the local tunnel name is the router’s name.


In the process of creating a L2TP group, the name of the local tunnel end will be

initialized as the router’s name.

For related commands, see sysname, tunnel authentication, tunnel password.

Example

# Set the local tunnel name of L2TP group 1 to itsme.

[Router-l2tp1] tunnel name itsme

1.1.19 tunnel password

Syntax

tunnel password { simple | cipher } password

undo tunnel password


16


View

L2TP group view

Parameter

simple: Password shown in plain text;

cipher: Password shown in cipher text.

password: Password used during the tunnel authentication, which is a character

string of 1 to 16 characters.

Description

Using the tunnel password command, you can configure the password used during

tunnel authentication. Using the undo tunnel password command, you can cancel

the password of the tunnel authentication.

By default, the password of tunnel authentication is the router name.


When creating a L2TP group, the local tunnel name and the tunnel password are both

initialized to be the router’s name.

For related commands, see tunnel authentication, tunnel name.

Example

# Set the tunnel password on L2TP group 1 to “yougotit” and make it shown in the

form of cipher text.

[Router-l2tp1] tunnel password cipher yougotit

1.1.20 tunnel timer hello

Syntax

tunnel timer hello hello-interval

undo tunnel timer hello

View

L2TP group view

Parameter

hello-interval: The interval that the LAC or LNS waits for sending Hello packets when

there is no traffic over the tunnel, ranging from 60 to 1000, in second. By default, the

Hello packets are sent every 60 seconds.


17


Description

Using the tunnel timer hello command, you can configure the interval for sending

Hello packets over an L2TP tunnel. Using the undo tunnel timer hello command,

you can restore the interval for sending Hello packets over an L2TP tunnel to the

default value.


The interval of sending Hello packets configured on LAC can be different from that on

LNS. The undo tunnel timer hello command can be used to restore the interval to

the default value.

Example

# Set the interval for sending Hello packets to 99 seconds.

[Router-l2tp1] tunnel timer hello 99


18

Command Manual – VPNVRP1.7 Chapter 2 GRE Configuration Commands

Chapter 2 GRE Configuration Commands

2.1 GRE Protocol Configuration Commands

2.1.1 destination

Syntax

destination ip-address

undo destination

View

Tunnel interface view

Parameter

ip-address: IP address of the actual physical port at the remote tunnel interface.

Description

Using the destination command, you can configure IP address of remote tunnel

interface. Using the undo destination command, you can cancel the IP address of

remote tunnel interface.

The specified remote tunnel address is input in format of the IP address. It must be

the same as the actual physical address of the remote port attached and it should be

guaranteed that the route to this port is reachable. Furthermore, the destination

address of the tunnel configured at the local end must be consistent with the source

address of the remote tunnel.

For related commands, see interface tunnel, source.

Example

# Set up a tunnel connection between Serial0 in RouterA and Serial1 in RouterB; the

IP address of Serial0 in RouterA is 10.110.1.1, and that of Serial1 in RouterB is

20.110.1.1. Make the following configurations at tunnel0 in RouterA:

[RouterA] interface tunnel 0

[RouterA-Tunnel0] source 10.110.1.1

[RouterA-Tunnel0] destination 20.110.1.1


1


2.1.2 display interfaces

Syntax

display interfaces [ tunnel tunnel-number ]

View

Any view

Parameter

tunnel-number: Tunnel interface number.

Description

Using the display interfaces command, you can view the status of the active tunnel

interface.

Example

[Router] display interfaces tunnel 1

Tunnel0 current state:up, line protocol current state:down

The Maximum Transmit Unit is 64000

Internet Address is 2.2.2.2(30)

input packets:0, bytes:0

input errors:0, broadcast:0, drops:0

output packets:0, bytes:0

output errors:0, 0 broadcast, no protocol:0

The above information shows: Tunnel 1 interface is in up state, and MTU is 128

bytes. The network address of Tunnel1 is 3.1.1.1; 0 packet is received; 0 error packet

and 0 broadcast packet is received; no packet is discarded; 0 packet is sent; 0 packet

is output with errors, 0 broadcast packet and 0 packet with unknown protocol is

output.

2.1.3 gre checksum

Syntax

gre checksum

undo gre checksum

View


Parameter

None


2


Description

Using the gre checksum command, you can configure checksum-based end-to-end

check at both ends of the tunnel. Using the undo gre checksum command, you can

disable the checksum check on the tunnel interfaces.

By default, checksum check is disabled on tunnel interface.

RFC 1701 provides that: if the Checksum bit is set in the GRE packet header, then

Checksum is valid. The sender calculates the checksum based on the GRE header

and payload, and the receiver calculates the checksum based on the received packet

and compares it with the checksum contained in the packet. If they are the same, the

packet will be further processed, otherwise it will be discarded.

If the checksum is set at one end of the tunnel only, then no checksum-based check

will be performed on the packet. Only when the checksum is set at both ends of a

tunnel, will the packet be checked.

For related commands, see interface tunnel.

Example

# Set up a tunnel between RouterA and RouterB, whose tunnel interfaces are tunnel0

and tunnel1 respectively. It is required to enable the checksum check.

[RouterA-Tunnel0] gre checksum

[RouterB-Tunnel1] gre checksum

2.1.4 gre key

Syntax

gre key key-number

undo gre key

View


Parameter

key-number: Key IDs at both ends of the tunnel, ranging from 0 to 4294967295.

Description

Using the gre key command, you can configure the Key ID of the local tunnel

interface. Using the undo gre key command, you can cancel the Key ID of the local

tunnel interface.

By default, no Key ID is set.


3


RFC 1701 provides that: if the KEY field in the GRE header is set, then both the

receiver and sender will authenticate the gre key. Only when the gre keys set at both

ends of the tunnel are the same will the authentication succeed, otherwise the packet

will be discarded.


Example

# Set up a tunnel between RouterA and RouterB, and the tunnel interfaces are

tunnel0 and tunnel1, respectively. It is required that the gre key be set.


[RouterA-Tunnel0] gre key 123456789

[RouterB] interface tunnel 1

[RouterB-Tunnel1] gre key 123456789

2.1.5 gre sequence-datagrams

Syntax

gre sequence-datagrams

undo gre sequence-datagrams

View


Parameter

None

Description

Using the gre sequence-datagrams command, you can. configure sequence

number synchronization of datagram on a tunnel interface. Using the undo gre

sequence-datagrams command, you can disable sequence number synchronization.

By default, tunnel interface datagram does not use sequence number

synchronization.

RFC 1701 provides that: if sequence-datagram in the GRE header is set, then the

receiver and sender will undergo sequence number synchronization. Only

synchronous packets will be further processed, otherwise the packet will be

discarded.

The tunnel sequence number provides unreliable but orderly packets. The receiver

makes sequence numbers for the packets received locally and de-capsulated

successfully (the sequence number can be any integer, ranging from 0 to 232–1, with

that of the first packet being 0). After the tunnel is set up, the sequence numbers will


4


be counted in an accumulative and cyclic manner. If the receiver receives a packet

whose sequence number is less than or equal to the sequence number of the last

packet, this packet is deemed to be an illegal packet. If a packet out of sequence is

received, it will be discarded automatically.

Only when gre sequence-datagrams or undo gre sequence-datagrams is set at

both ends of the tunnel with the same value can the tunnel be set up.


Example

# Set up a tunnel between RouterA and RouterB, whose interfaces are tunnel0 and

tunnel1, respectively. It is required to enable the check of packet sequence number.

[RouterA-Tunnel0] gre sequence-datagrams

[RouterB-Tunnel1] gre sequence-datagrams

2.1.6 interface tunnel

Syntax

interface tunnel tunnel-number

undo interface tunnel

View

Any view

Parameter

tunnel-number: Specified tunnel interface number, ranging from 0 to 4294967295.

Description

Using the interface tunnel command, you can create a tunnel interface and enter the

tunnel view. Using the undo interface tunnel command, you can cancel a specified

tunnel interface.

By default, no tunnel interface is created.

This command is used to enter a specified tunnel interface view. If the tunnel interface

has not been created, create it first. The number of tunnels that can be created

depends on the total number of interfaces as well as the memory condition.

For related commands, see source, destination, gre key, gre checksum, gre

sequence-datagrams.

Example

# Set up the interface tunnel0 in Router A.


5



[RouterA-Tunnel0]

2.1.7 source

Syntax

source ip-address

undo source

View


Parameter

ip-address: IP address of the actual physical port that uses tunnel interface.

Description

Using the source command, you can configure tunnel local address. Using the undo

source command, you can cancel the configured local address.

By default, no tunnel source address is specified.

The specified tunnel source address is input in the IP address format. It must be the

same as the actual physical port address. Furthermore, the source address of the

tunnel configured at the local end must be consistent with the destination address of

the remote tunnel.

For related commands, see interface tunnel, destination.

Example

# Configure tunnel0 in the router: the actual exit for the packet encapsulated at this

interface is Serial0.

[RouterA] interface serial 0

[RouterA-serial0] ip address 10.110.1.1 255.255.255.0


[RouterA-Tunnel0] source 10.110.1.1

2.1.8 ip fast-forwarding (Tunnel Interface View)

Syntax

ip fast-forwarding [ inbound | outbound ]

undo ip fast-forwarding


6


View


Parameter

inbound: Enable fast-forwarding only in the inbound direction of the tunnel interfaces.

outbound: Enable fast-forwarding only in the outbound direction of the tunnel

interface.

Description

Using ip fast-forwarding command, you can enable fast-forwarding on a tunnel.

Using undo fast-forwarding command, you can disable fast-forwarding on the

tunnel.

By default, fast-forwarding is enabled two-way on the tunnel.

In this command, the parameters inbound and outbound are mutually exclusive, and

the newly configured parameter will replace the previous one. If you want to enable

fast-forwarding on both the receiving and sending directions, you should not use any

parameter in this command.

Quidway series routers support the fast-forwarding on all high-speed link interface,

including Ethernet, synchronous PPP, Frame Relay, HDLC, support the fast-

forwarding when firewall and NAT are configured, and support the fast-forwarding on

GRE virtual tunnel interface. Please note that when the fast-forwarding is configured

on an interface, this interface will never send ICMP redirection packets.

Example

# Configure the interface tunnel 0 on the router and disable fast-forwarding on the

interface.

[Router] interface tunnel 0

[Router-Tunnel0] undo ip fast-forwarding


7

09 Command Manual VPN

Documents

actual physical

1l2tp configuration

2gre configuration

hiding av

current l2tp

viewtunnel

tunnel connecting

viewl2tp group