Huawei DSVPN Solution: Architecture, Configuration Steps, and Validation
This article explains the limitations of traditional IPSec VPNs for growing enterprises, introduces Huawei's DSVPN dynamic VPN technology, provides detailed configuration procedures for Hub and Spoke devices—including interface, routing, firewall, and security policies—and demonstrates verification of end‑to‑end connectivity.
As more small and large enterprises adopt IPSec VPNs to interconnect headquarters and branch offices, traditional static VPNs face scalability, resource consumption, latency, and routing challenges, especially when branches use dynamic public IP addresses.
Huawei's DSVPN (Dynamic VPN) addresses these issues by combining NHRP (Next Hop Resolution Protocol) and mGRE (multipoint Generic Routing Encapsulation) with IPSec, enabling dynamic collection of public addresses, direct branch‑to‑branch tunnels, multicast support, and automatic tunnel maintenance.
Basic Architecture
Hub (headquarters) uses a static public IP.
Spokes (branches) obtain dynamic public IPs.
Spokes discover each other's public addresses via NHRP and establish dynamic mGRE tunnels, bypassing the Hub for inter‑branch traffic.
Configuration Steps
Configure firewall interfaces and assign them to appropriate security zones.
Add static routes for internet access.
Create security policies to permit traffic between local and untrust zones.
Set up DSVPN parameters on each Spoke and the Hub.
Sample Configuration Scripts
Spoke1 configuration:
sysname Spoke1</code><code>#</code><code>interface GigabitEthernet0/0/0</code><code> ip address dhcp-alloc</code><code>#</code><code>interface LoopBack0</code><code> ip address 192.168.1.1 255.255.255.0</code><code> alias LoopBack0</code><code>#</code><code>interface Tunnel0</code><code> description spoke</code><code> ip address 172.16.1.2 255.255.255.0</code><code> tunnel-protocol gre p2mp</code><code> source GigabitEthernet0/0/0</code><code> ospf network-type broadcast</code><code> dr-priority 0</code><code> alias Spoke1</code><code> nhrp authentication hash sha1 %^%#$]8@BBRhtL)i)m4/LP,5l$;gMF$xjY)RXoXCca3V%^%#</code><code> nhrp entry multicast dynamic</code><code> nhrp entry 172.16.1.1 1.1.1.10 register preference 10</code><code>#</code><code>ospf 1</code><code> area 0.0.0.0</code><code> network 172.16.1.0 0.0.0.255</code><code> area 0.0.0.1</code><code> network 192.168.1.0 0.0.0.255</code><code>#</code><code>ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0</code><code>#</code><code>firewall zone untrust</code><code> set priority 5</code><code> add interface GigabitEthernet0/0/0</code><code> add interface Tunnel0</code><code>#</code><code>security-policy</code><code> rule name rule1</code><code> source-zone local</code><code> source-zone untrust</code><code> destination-zone local</code><code> destination-zone untrust</code><code> source-address 192.168.0.0 mask 255.255.0.0</code><code> action permit</code><code> rule name rule2</code><code> source-zone local</code><code> source-zone untrust</code><code> destination-zone local</code><code> destination-zone untrust</code><code> service gre</code><code> action permit</code><code>#</code><code>returnSpoke2 configuration (similar to Spoke1, with its own IP ranges):
sysname Spoke2</code><code>#</code><code>interface GigabitEthernet0/0/0</code><code> ip address dhcp-alloc</code><code>#</code><code>interface LoopBack0</code><code> ip address 192.168.2.1 255.255.255.0</code><code> alias LoopBack0</code><code>#</code><code>interface Tunnel0</code><code> description spoke</code><code> ip address 172.16.1.3 255.255.255.0</code><code> tunnel-protocol gre p2mp</code><code> source GigabitEthernet0/0/0</code><code> ospf network-type broadcast</code><code> dr-priority 0</code><code> alias Spoke2</code><code> nhrp authentication hash sha1 %^%#$]8@BBRhtL)i)m4/LP,5l$;gMF$xjY)RXoXCca3V%^%#</code><code> nhrp entry multicast dynamic</code><code> nhrp entry 172.16.1.1 1.1.1.10 register preference 10</code><code>#</code><code>ospf 1</code><code> area 0.0.0.0</code><code> network 172.16.1.0 0.0.0.255</code><code> area 0.0.0.1</code><code> network 192.168.2.0 0.0.0.255</code><code>#</code><code>ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0</code><code>#</code><code>firewall zone untrust</code><code> set priority 5</code><code> add interface GigabitEthernet0/0/0</code><code> add interface Tunnel0</code><code>#</code><code>security-policy</code><code> rule name rule1</code><code> source-zone local</code><code> source-zone untrust</code><code> destination-zone local</code><code> destination-zone untrust</code><code> source-address 192.168.0.0 mask 255.255.0.0</code><code> action permit</code><code> rule name rule2</code><code> source-zone local</code><code> source-zone untrust</code><code> destination-zone local</code><code> destination-zone untrust</code><code> service gre</code><code> action permit</code><code>#</code><code>returnHub configuration:
sysname Hub</code><code>#</code><code>interface GigabitEthernet0/0/0</code><code> ip address 1.1.1.10 255.255.255.0</code><code>#</code><code>interface LoopBack0</code><code> ip address 192.168.0.1 255.255.255.0</code><code> alias LoopBack0</code><code>#</code><code>interface Tunnel0</code><code> description hub</code><code> ip address 172.16.1.1 255.255.255.255</code><code> tunnel-protocol gre p2mp</code><code> source GigabitEthernet0/0/0</code><code> ospf network-type broadcast</code><code> dr-priority 2</code><code> alias Hub</code><code> nhrp authentication hash sha1 %^%#$]8@BBRhtL)i)m4/LP,5l$;gMF$xjY)RXoXCca3V%^%#</code><code> nhrp entry multicast dynamic</code><code> undo nhrp hub reverse-route enable</code><code>#</code><code>ospf 1</code><code> area 0.0.0.0</code><code> network 172.16.1.1 0.0.0.0</code><code> area 0.0.0.1</code><code> network 192.168.0.0 0.0.0.255</code><code>#</code><code>ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0</code><code>#</code><code>firewall zone untrust</code><code> set priority 5</code><code> add interface GigabitEthernet0/0/0</code><code> add interface Tunnel0</code><code>#</code><code>security-policy</code><code> rule name rule1</code><code> source-zone local</code><code> source-zone untrust</code><code> destination-zone local</code><code> destination-zone untrust</code><code> source-address 192.168.0.0 mask 255.255.0.0</code><code> action permit</code><code> rule name rule2</code><code> source-zone local</code><code> source-zone untrust</code><code> destination-zone local</code><code> destination-zone untrust</code><code> service gre</code><code> action permit</code><code>#</code><code>returnResult Verification
From a PC behind Spoke1, ping the LoopBack IP of Spoke2 or access services; this triggers dynamic mGRE tunnel creation.
Check Network → DSVPN → Monitoring on Spoke1 to see tunnel status UP for Hub and Spoke2.
Conclusion
By leveraging Huawei DSVPN, the network connects headquarters in Beijing and Shanghai with dynamic, cost‑effective VPN tunnels that eliminate the need for static public IP lines, simplify management through automatic registration, and improve performance by allowing direct branch‑to‑branch traffic, reducing latency and resource consumption at the hub.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
YunZhu Net Technology Team
Technical practice sharing from the YunZhu Net Technology Team
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.