R0106-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V7)
317
Figure 135 shows the format of ADVPN packets. ADVPN supports both GRE and UDP encapsulations. In
the outer IP header, the source IP address is the public address of the local spoke, and the destination
address is the public address corresponding to the private next hop. IPsec can be used to protect ADVPN
tunnels.
Figure 135 ADVPN packet format
An ADVPN tunnel using UDP encapsulation can traverse a NAT gateway:
• If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established
through the NAT gateway.
• If the tunnel receiver is behind a NAT gateway, packets must be forwarded by a hub before the
receiver originates a tunnel establishment request. If the NAT gateway uses Endpoint-Independent
Mapping, a spoke-spoke tunnel can be established through the NAT gateway.
• If both ends reside behind a NAT gateway, no tunnel can be established and packets between them
must be forwarded by a hub.
ADVPN configuration task list
Tasks at a
g
lance
(Optional.) Configuring AAA
(Required.) Configuring the VAM server
(Required.) Configuring the VAM client
(Required.) Configuring an ADVPN tunnel interface
(Required.) Configuring routing
(Optional.) Configuring IPsec for ADVPN tunnels
Configuring AAA
The VAM server can use AAA to authenticate clients. Clients passing AAA authentication can access the
ADVPN domain. For information about AAA configuration, see Security Configuration Guide.
Configuring the VAM server
Task
(Required.) Creating an ADVPN domain
(Required.) Enabling the VAM server
(Required.) Configuring a pre-shared key for the VAM server
(Required.) Configuring hub groups
(Optional.) Configuring the port number of the VAM server
(Optional.) Specifying authentication and encryption algorithms for the VAM server
(Optional.) Configuring an authentication method