Configuration on the Firewall

The commands may vary according to the firewall models and versions. For details, see the product documentation of the corresponding version.

1. Configure IP addresses for interfaces of the firewall.

   interface GigabitEthernet1/0/1              # Configure a public IP address for an interface of the firewall.
   ip address 1.1.1.1 255.255.255.0
   interface GigabitEthernet1/0/2              # Configure a private IP address for an interface of the firewall.
   ip address 172.16.0.233 255.255.0.0

2. Add interfaces to security zones.

   firewall zone untrust
   add interface GigabitEthernet1/0/1
   firewall zone trust
   add interface GigabitEthernet1/0/2

3. Configures the TCP MSS.

   firewall tcp-mss 1300

ike proposal 100                    # Configure an IKE policy for the VPN connection to be established between the public IP address of the firewall and the active EIP of the VPN gateway.
authentication-algorithm SHA2-256     # Set the same authentication algorithm as that configured in the IKE policy in Table 3.
encryption-algorithm AES-128          # Set the same encryption algorithm as that configured in the IKE policy in Table 3.
authentication-method pre-share
integrity-algorithm HMAC-SHA2-256
prf HMAC-SHA2-256
dh group15                            # Set the same DH algorithm as that configured in the IKE policy in Table 3.
sa duration 86400                     # Set the same lifetime as that configured in the IKE policy in Table 3.

ike peer hwcloud_peer33
undo version 1                         # Set the same IKE version as that configured in the IKE policy in Table 3.
pre-shared-key Test@123                # Set the same PSK as that configured in Table 3.
ike-proposal 100
remote-address 1.1.1.2                 # Specify the active EIP of the VPN gateway.

IPsec proposal IPsec-pro100          # Configure an IPsec policy for the VPN connection to be established between the public IP address of the firewall and the active EIP of the VPN gateway.
transform esp
encapsulation-mode tunnel
esp authentication-algorithm SHA2-256    # Set the same authentication algorithm as that configured in the IPsec policy in Table 3.
esp encryption-algorithm aes-128    # Set the same encryption algorithm as that configured in the IPsec policy in Table 3.

ike proposal 200                 # Configure policies for the VPN connection to be established between the public IP address of the firewall and the standby EIP of the VPN gateway.
authentication-algorithm SHA2-256
encryption-algorithm AES-128
authentication-method pre-share
integrity-algorithm HMAC-SHA2-256
prf HMAC-SHA2-256
dh group15
sa duration 86400

ike peer hwcloud_peer44
undo version 1
pre-shared-key Test@123
ike-proposal 200
remote-address 2.2.2.2                              # Specify the standby EIP of the VPN gateway.

IPsec proposal IPsec-pro200
transform esp
encapsulation-mode tunnel
esp authentication-algorithm SHA2-256
esp encryption-algorithm aes-128

IPsec profile HW-IPsec100     # Configure a routing policy for the public IP address of the firewall.
ike-peer hwcloud_peer33
proposal IPsec-pro100 
pfs dh-group15                      # Set the same PFS as that configured in the IPsec policy in Table 3.
sa duration time-based 3600         # Set the same lifetime as that configured in the IPsec policy in Table 3.

interface Tunnel100
ip address 169.254.70.2 255.255.255.252       # Specify the IP address of tunnel interface 1 on the firewall.
tunnel-protocol IPsec
source 1.1.1.1                                # Specify the public IP address of the firewall.
destination 1.1.1.2                           # Specify the active EIP of the VPN gateway.
service-manage ping permit
IPsec profile HW-IPsec100
firewall zone untrust
add interface Tunnel100

interface Tunnel200
ip address 169.254.71.2 255.255.255.252        # Specify the IP address of tunnel interface 2 on the firewall.
tunnel-protocol IPsec
source 1.1.1.1                                 # Specify the public IP address of the firewall.
destination 2.2.2.2                            # Specify the standby EIP of the VPN gateway.
service-manage ping permit
IPsec profile HW-IPsec200
firewall zone untrust
add interface Tunnel200

1. Configure static routes to the public IP addresses of the Huawei Cloud side.

   ip route-static 1.1.1.2 255.255.255.255 1.1.1.1    # Active EIP of the VPN gateway + 255.255.255.255 + Gateway address of the firewall's public IP address
   ip route-static 2.2.2.2 255.255.255.255 1.1.1.1    # Standby EIP of the VPN gateway + 255.255.255.255 + Gateway address of the firewall's public IP address

2. Configure BGP peers and BGP routes.

   bgp 64515
    router-id 1.1.1.1
    private-4-byte-as enable
    peer 169.254.70.1 as-number 64512
    peer 169.254.70.1 connect-interface Tunnel100
    peer 169.254.71.1 as-number 64512
    peer 169.254.71.1 connect-interface Tunnel200
    #
    ipv4-family unicast
     network 172.16.0.0 255.255.255.0
     peer 169.254.70.1 enable
     peer 169.254.71.1 enable

ip address-set localsubnet172 type object              # Define an address object.
address 0 172.16.0.0 mask 16                           # Configure the subnet of the on-premises data center.
ip address-set HWCsubnet192 type object
address 0 192.168.0.0 mask 24                          # Configure the subnet of the Huawei Cloud VPC.
address 0 192.168.1.0 mask 24

security-policy
rule name IPsec_permit1
source-zone untrust
source-zone internet
source-zone local
destination-zone untrust
destination-zone internet
destination-zone local
service ah esp
service protocol udp destination-port 500 4500
action permit
rule name IPsec_permit2
source-zone untrust
source-zone internet
source-zone trust
destination-zone untrust
destination-zone internet
destination-zone trust
source-address address-set localsubnet172
source-address address-set HWCsubnet192
destination-address address-set localsubnet172
destination-address address-set HWCsubnet192
action permit

nat-policy
rule name IPsec_subnet_bypass
source-zone trust
destination-zone untrust
destination-zone internet
source-address address-set localsubnet172
destination-address address-set HWCsubnet192
action no-nat