Help Center/ Virtual Private Network/ Administrator Guide/ S2C Enterprise Edition VPN/ Interconnection with a Sangfor Vrtual Firewall/ Policy-based Mode/ Configuration on the Firewall
Updated on 2025-08-18 GMT+08:00
View PDF

Configuration on the Firewall

Prerequisites

The basic network configuration of the Sangfor virtual firewall has been completed.

Procedure

  1. Log in to the firewall management page.

    The following uses 8.35R1 as an example. The management page may vary depending on the firewall version. For details, see the product documentation of the corresponding version.

  2. Configure the uplink port on the firewall.
    1. Choose Network > Interface > Physical Interface.
    2. Locate the row that contains eth0 and click Edit in the Operation column to configure the interface attributes.
    3. Set Zone to L3_trust_A and select WAN for Basic Attributes.
  3. Enable the IPsec VPN capability of the firewall.
    1. Choose Network > IPSecVPN > DLAN Running Status.
    2. In the VPN Running Status area, select Enable VPN service.
  4. Configure an IPsec VPN line.
    1. Choose Network > IPSecVPN > Basic Configuration.
    2. In the IPsec VPN Line area, click Add Line.
    3. Set parameters as prompted.

      Table 1 describes the parameters. For other parameters, use their default settings.

      Table 1 Parameter description

      Parameter

      Description

      Value

      Line interface

      WAN

      If no option is available, check whether Step 2 is successfully executed.

      If the network deployment mode is changed, delete the original line and add a line by referring to Step 2.

      eth0

      Link type.
      • Fixed IP address
      • Internet dial-up line
      • Private line
      • 4G

      Fixed IP address

      Carrier
      • CMCC
      • China Unicom
      • China Telecom

      China Unicom

      EIP

      If the device is deployed in one-armed mode and no public IP address is configured for the WAN interface, you need to configure a public IP address for the line.

      1.1.1.1

      Enable Status

      Select Enable.

      Enable
    4. Click Expand Settings in the Advanced area, set VPN Interface to Custom, and set the VPN interface IP address to the public IP address of the firewall.
  5. Configure an access control policy.
    1. Choose Policy > Access Control > Application Control Policy.
    2. On the Policy Configuration tab page, click Create.
    3. Configure an application control policy, as shown in Table 2. For other parameters, use their default settings.
      Table 2 Parameter description

      Parameter

      Description

      Value

      Basic Info

      Name

      any

      Status

      Enable

      Source

      Source area

      any

      Source address

      Network Object-All

      Purpose

      Destination zone

      any

      Destination address

      All

      Service

      any

      Application

      All

      Effective Condition Settings

      Mandatory/Optional

      Allow

      Effective time

      Full day
  6. Configure a source NAT policy.
    1. Choose Policy > Address Translation.
    2. In the IPv4 Address Translation area, click Create.
    3. Configure source NAT information, as shown in Table 3. For other parameters, use their default settings.
      Table 3 Parameter description

      Parameter

      Description

      Value

      -

      Translation Type

      Source NAT

      Setting basic information

      Name

      snat001

      Enabling State

      Enable

      Effective time

      Full day

      Original Data Packet

      Source area

      L3_trust_A, which must be the same as the value of Parameter configured in Step 2.

      Source address

      All

      Destination Zone/Interface

      Zone, L3_trust_A,

      Destination address

      All

      Service

      any

      Translated Data Packet

      Source Address After NAT

      Specified IP address, 172.16.0.0/24.

      Destination Address Translation To

      No translation

      Destination Port Translated To

      No translation
  7. Configure VPN connection information.
    1. Choose Network > IPSecVPN > Third-Party Interconnection Management and click Add Third-Party Device.
    2. Set parameters as prompted.

      Table 4 describes the parameters. For other parameters, use their default settings.

      Table 4 Parameter description

      Area

      Parameter

      Description

      Value

      Performing Basic Configurations

      Device Name

      Select the VPN peer name.

      hwvpn-01

      Enable/Disable

      Select Enable.

      Enable

      Peer device address type

      Select Fixed IP.

      Fixed IP

      Peer IP address

      This parameter is mandatory only when Peer Device Address Type is set to Fixed IP.

      1.1.1.2

      Peer Domain Name Address

      This parameter is mandatory only when Peer Device Address Type is set to Dynamic Domain Name.

      -

      Authentication Mode - Pre-shared Key

      The value must be the same as the pre-shared key configured in Table 3.

      Test@123

      Local Connection Line

      Select the IPsec VPN line configured in Configuring an IPsec VPN Line.

      eth0 (Fixed IP address of China Unicom Internet)

      Encrypted data flow

      Encrypted data flows must be configured for subnet 1V1. For example, if there are two subnets in the user data center and two subnets in the Huawei Cloud VPC, four encrypted data flows need to be configured.

      When configuring the data flow for the first time, click Add to add the encrypted data flow information.

      Encrypted data flow 1

      • Local IP address:

        172.16.0.0/24

      • Local intranet service: ALL Services
      • Peer address: 192.168.0.0/24
      • Peer intranet service: ALL Services
      • Phase 2 security proposal:

        Configure the IPsec policy information, which must be the same as the IPsec policy information configured in Table 3.

        • Protocol: ESP
        • Encryption algorithm: SHA2-256
        • Authentication algorithm: AES-256
        • Perfect forward secrecy (PFS): group 15
      • Priority: 128

      Encrypted data flow 2:

      • Local IP address:

        172.16.0.0/24

      • Local intranet service:

        ALL Services

      • Peer address: 192.168.1.0/24
      • Peer intranet service:
      • Phase 2 security proposal:

        The IPSec policy information must be the same as that configured in Table 3.

        • Protocol: ESP
        • Encryption algorithm: SHA2-256
        • Authentication algorithm: AES-256
        • Perfect forward secrecy (PFS): group 15
      • Priority: 128

      Encrypted data flow 3

      • Local IP address:

        172.16.1.0/24

      • Local intranet service: ALL Services
      • Peer address: 192.168.0.0/24
      • Peer intranet service: ALL Services
      • Phase 2 security proposal:

        The IPSec policy information must be the same as that configured in Table 3.

        • Protocol: ESP
        • Encryption algorithm: SHA2-256
        • Authentication algorithm: AES-256
        • Perfect forward secrecy (PFS): group 15
      • Priority: 128

      Encrypted data flow 4

      • Local IP address:

        172.16.1.0/24

      • Local intranet service: ALL Services
      • Peer address: 192.168.1.0/24
      • Peer intranet service: ALL Services
      • Phase 2 security proposal:

        The IPSec policy information must be the same as that configured in Table 3.

        • Protocol: ESP
        • Encryption algorithm: SHA2-256
        • Authentication algorithm: AES-256
        • Perfect forward secrecy (PFS): group 15
      • Priority: 128

      IKE

      IKE version

      Select IKEv2.

      IKEv2

      Active Connection

      Select Enable.

      Enable

      Local identity type

      Select IP Address(IPV4_ADDR).

      IP Address(IPV4_ADDR)

      Local identity ID

      When Peer device address type is set to Fixed IP or Dynamic domain name and Local identity type is set to IP Address(IPV4_ADDR) or Certificate DN(DN), this parameter can be left empty. If NAT is deployed between the two devices, this parameter must be set.

      1.1.1.1

      Peer identity type

      Select IP Address(IPV4_ADDR).

      IP Address(IPV4_ADDR)

      Peer identity ID

      If Peer device address type is set to Fixed IP or Dynamic domain name, you do not need to set Peer identity type to IP address (IPV4_ADDR) or Certificate DN (DN). If NAT is configured between the two devices, the identity ID must be set.

      1.1.1.2

      IKE SA timeout

      Lifetime of a security association (SA).

      An SA will be renegotiated when its lifetime expires.

      • Unit: second
      • Value range: 600 to 864000

      3600

      D-H group

      Set this parameter to group 15.

      group 15

      DPD

      Specifies whether to automatically send dead peer detection (DPD) packets to check whether the peer end is alive and delete incorrect tunnels in a timely manner. DPD packets must be enabled or disabled on both ends.

      Enable

      Detection time
      • Unit: second
      • Value range: 5 to 60

      30

      Number of timeouts

      Value range: 1 to 6

      5

      Phase 1 security proposal

      Specifies the IKE policy information, which must be the same as that configured in Table 3.

      The security proposal is sent to the peer end and compared with the peer security proposal. The proposal supported by both ends is used.

      If this is the first configuration, click Add to add IKE policy information.
      • Encryption algorithm: AES256
      • Authentication Algorithm: SHA2-256
      • PRF: SHA2-256

      IPsec

      Number of retry times.

      Specifies the number of times that negotiation packets are retransmitted when negotiation packets are lost or not received during a single negotiation.

      • Value range: 1–20

      10

      IPSec SA timeout

      Lifetime of a security association (SA).

      An SA will be renegotiated when its lifetime expires.

      • Unit: second
      • Value range: 600 to 864000

      28800

      Expiration time

      Select Disable.

      Disable
Parent topic: Policy-based Mode