Support for dynamic vam client ip address, Encryption of vam protocol packets, Ipsec protection of data packets – H3C Technologies H3C SecPath F1000-E User Manual

406

•

If neither of the two spokes is behind a NAT gateway, a direct tunnel will be established between

them.

•

If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established
traversing the NAT gateway.

•

If the tunnel request receiver is behind a NAT gateway, packets must be forwarded by a hub before
the intended receiver originates a tunnel establishment request.

•

If both spokes reside behind NAT gateways, no tunnel can be established between them and
packets between them will be forwarded by a hub.

Support for dynamic VAM client IP address

As each VAM client registers its public and private addresses with the VAM server and can get the public

address of the peer VAM client from the VAM server, no tunnel destination address needs to be
configured on either tunnel interface of a tunnel. When a VAM client has its IP address changed, it

reregisters with the VAM server, thus supporting dynamic IP address.

AAA identity authentication of VAM clients on the VAM server

After the initialization process completes, a VAM client registers with the VAM server. You can specify to

authenticate VAM clients during the registration process. VAM supports PAP authentication and CHAP
authentication. The VAM server uses AAA to authenticate clients in the VPN domain. A VAM client must

pass authentication to access the VPN.

Identity authentication of the VAM server and VAM client using the pre-shared key

A VAM client and the VAM server must be configured with the same pre-shared key to generate the

encryption/integrity validation key. The VAM client/VAM server can determine whether the pre-shared
keys of both sides are the same by checking the result of packet decryption and integrity validation, so

as to implement identity authentication of the VAM server/VAM client.

Encryption of VAM protocol packets

VAM protocol packets can be encrypted by using AES-128, DES, or 3DES.

IPsec protection of data packets

Data packets in a DVPN tunnel can be protected by IPsec (using the ESP or AH protocol and negotiating

security parameters through IKE).

Centralized management of policies

A VAM server manages all policies in a VPN domain centrally.

Support for multiple VPN domains

A VAM server supports up to 10 VPN domains.

Configuring DVPN in the Web interface

When configuring DVPN, configure the DVPN server before configuring the DVPN clients. When

configuring the DVPN clients, configure the Hubs before configuring the Spokes.