Configuring dvpn, Feature and hardware compatibility, Dvpn overview – H3C Technologies H3C SecPath F1000-E User Manual
Page 413: Basic concepts of dvpn, Dvpn node
401
Configuring DVPN
The term "router" in this document refers to both routers and Layer 3 firewalls.
Feature and hardware compatibility
Feature F1000-A-EI/E-SI/S-AI
F1000-E
F5000-A5 Firewall
module
DVPN No
Yes
Yes
Yes
DVPN overview
Nowadays, more and more enterprises are demanding for virtual private networks (VPNs) to connect
their branches across the public network. However, branches of an enterprise usually use dynamically
assigned IP addresses to access the public network and each of them has no way to know the public IP
addresses of the other branches in advance. This makes it difficult for establishing VPNs. Dynamic virtual
private network (DVPN) is intended to address this issue.
DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address
Management (VAM) protocol, making VPN establishment available between enterprise branches that
use dynamic addresses to access the public network.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of
DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual
channels between subnets of an intranet constitute the network layer. Branch devices dynamically access
the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure
internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1.
Obtaining the next hop on the private network through a routing protocol.
2.
Inquiring the public network address of the next hop through the VAM protocol.
3.
Encapsulating the packet, using the public address as the destination address of the tunnel.
4.
Sending the packet along the tunnel to the destination.
Basic concepts of DVPN
The following key roles are involved in DVPN.
DVPN node
A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device or a host. A DVPN
node takes part in tunnel setup and must implement VAM client.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS