F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
411
601BRegistration phase
Figure 308 Registration process
1034HFigure 308 shows the registration process:
1. The client sends the server a registration request, which carries information about the client.
2. Upon receiving the registration request, the server first determines whether to authenticate the
identity of the client.
{ If identity authentication is not required, the server directly registers the client and sends the
client a registration acknowledgement.
{ If identity authentication is required, the server sends the client an identity authentication
request, indicating the required authentication algorithm. In the case of CHAP authentication,
a random number is also sent.
3. The client submits its identity information to the server.
4. After receiving the identity information of the client, the server sends an authentication request to
the AAA server and, after receiving the expected authentication acknowledgement, sends an
accounting request to the AAA server. When the server receives the accounting acknowledgement,
it sends the client a registration acknowledgement, telling the client information about the hubs in
the VPN.
602BTunnel establishment phase
After a spoke successfully registers itself, it needs to establish a permanent tunnel with a hub. A spoke can
establish permanent tunnels with up to two hubs. If there are two hubs in a VPN domain, a permanent
tunnel is required between the hubs.
1035HFigure 309 shows the tunnel establishment process.
Figure 309 Tunnel establishment process
1. The initiator originates a tunnel establishment request.
Client Server
1) Registration request
2) Identity authentication request
3) Identity information
4) Registration acknowledgement