BestHub
Sign in
Operations 14 min read

Huawei DSVPN Solution: Architecture, Configuration Steps, and Validation

This article explains the limitations of traditional IPSec VPNs for growing enterprises, introduces Huawei's DSVPN dynamic VPN technology, provides detailed configuration procedures for Hub and Spoke devices—including interface, routing, firewall, and security policies—and demonstrates verification of end‑to‑end connectivity.

YunZhu Net Technology Team
YunZhu Net Technology Team
YunZhu Net Technology Team
Huawei DSVPN Solution: Architecture, Configuration Steps, and Validation

As more small and large enterprises adopt IPSec VPNs to interconnect headquarters and branch offices, traditional static VPNs face scalability, resource consumption, latency, and routing challenges, especially when branches use dynamic public IP addresses.

Huawei's DSVPN (Dynamic VPN) addresses these issues by combining NHRP (Next Hop Resolution Protocol) and mGRE (multipoint Generic Routing Encapsulation) with IPSec, enabling dynamic collection of public addresses, direct branch‑to‑branch tunnels, multicast support, and automatic tunnel maintenance.

Basic Architecture

Hub (headquarters) uses a static public IP.

Spokes (branches) obtain dynamic public IPs.

Spokes discover each other's public addresses via NHRP and establish dynamic mGRE tunnels, bypassing the Hub for inter‑branch traffic.

Configuration Steps

Configure firewall interfaces and assign them to appropriate security zones.

Add static routes for internet access.

Create security policies to permit traffic between local and untrust zones.

Set up DSVPN parameters on each Spoke and the Hub.

Sample Configuration Scripts

Spoke1 configuration:

sysname Spoke1
#
interface GigabitEthernet0/0/0
ip address dhcp-alloc
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
alias LoopBack0
#
interface Tunnel0
description spoke
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type broadcast
dr-priority 0
alias Spoke1
nhrp authentication hash sha1 %^%#$]8@BBRhtL)i)m4/LP,5l$;gMF$xjY)RXoXCca3V%^%#
nhrp entry multicast dynamic
nhrp entry 172.16.1.1 1.1.1.10 register preference 10
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface Tunnel0
#
security-policy
rule name rule1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
rule name rule2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
service gre
action permit
#
return

Spoke2 configuration (similar to Spoke1, with its own IP ranges):

sysname Spoke2
#
interface GigabitEthernet0/0/0
ip address dhcp-alloc
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.0
alias LoopBack0
#
interface Tunnel0
description spoke
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type broadcast
dr-priority 0
alias Spoke2
nhrp authentication hash sha1 %^%#$]8@BBRhtL)i)m4/LP,5l$;gMF$xjY)RXoXCca3V%^%#
nhrp entry multicast dynamic
nhrp entry 172.16.1.1 1.1.1.10 register preference 10
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
area 0.0.0.1
network 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface Tunnel0
#
security-policy
rule name rule1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
rule name rule2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
service gre
action permit
#
return

Hub configuration:

sysname Hub
#
interface GigabitEthernet0/0/0
ip address 1.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
alias LoopBack0
#
interface Tunnel0
description hub
ip address 172.16.1.1 255.255.255.255
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type broadcast
dr-priority 2
alias Hub
nhrp authentication hash sha1 %^%#$]8@BBRhtL)i)m4/LP,5l$;gMF$xjY)RXoXCca3V%^%#
nhrp entry multicast dynamic
undo nhrp hub reverse-route enable
#
ospf 1
area 0.0.0.0
network 172.16.1.1 0.0.0.0
area 0.0.0.1
network 192.168.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface Tunnel0
#
security-policy
rule name rule1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
rule name rule2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
service gre
action permit
#
return

Result Verification

From a PC behind Spoke1, ping the LoopBack IP of Spoke2 or access services; this triggers dynamic mGRE tunnel creation.

Check Network → DSVPN → Monitoring on Spoke1 to see tunnel status UP for Hub and Spoke2.

Conclusion

By leveraging Huawei DSVPN, the network connects headquarters in Beijing and Shanghai with dynamic, cost‑effective VPN tunnels that eliminate the need for static public IP lines, simplify management through automatic registration, and improve performance by allowing direct branch‑to‑branch traffic, reducing latency and resource consumption at the hub.

operationsRoutingnetwork configurationVPNHuaweiDSVPNDynamic VPN
YunZhu Net Technology Team
Written by

YunZhu Net Technology Team

Technical practice sharing from the YunZhu Net Technology Team

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment