Help Center/ Virtual Private Network/ Administrator Guide/ Interconnection with a Huawei AR Router (Active-Active Connections)/ Static Routing Mode/ Operation Guide
Updated on 2023-10-20 GMT+08:00
View PDF

Operation Guide

Scenario

Figure 1 shows the typical networking where a VPN gateway on Huawei Cloud connects to a Huawei access router (AR) in an on-premises data center in static routing mode.

Figure 1 Typical networking diagram

In this scenario, the AR router has only one public IP address. VPN connections need to be created between the public IP address of the firewall and the active and standby EIPs of the Huawei Cloud VPN gateway.

Data Plan

Table 1 Data plan

Category

Item

Data

VPC

Subnet that needs to access the on-premises data center
  • 192.168.0.0/24
  • 192.168.1.0/24

VPN gateway

Interconnection subnet

This subnet is used for communication between the VPN gateway and VPC. Ensure that the selected interconnection subnet has four or more assignable IP addresses.

192.168.2.0/24

EIP

EIPs are automatically generated when you buy them. By default, a VPN gateway uses two EIPs. In this example, the EIPs are as follows:

  • Active EIP: 1.1.1.2
  • Standby EIP: 2.2.2.2

VPN connection

Tunnel interface address

This address is used by a VPN gateway to establish an IPsec tunnel with a customer gateway. At the two ends of the IPsec tunnel, the configured local and remote tunnel interface addresses must be reversed.

  • VPN connection 1: 169.254.70.2/30
  • VPN connection 2: 169.254.71.2/30

On-premises data center

Subnet that needs to access the VPC

172.16.0.0/16

AR router

Public IP address

This public IP address is assigned by a carrier. In this example, the public IP address is:

1.1.1.1

Tunnel interface address
  • VPN connection 1: 169.254.70.1/30
  • VPN connection 2: 169.254.71.1/30

IKE and IPsec policies

PSK

Test@123

IKE policy
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • DH algorithm: DH Group 14
  • IKE version: IKEv2
  • Lifetime (s): 86400
  • Local ID: IP address
  • Peer ID: IP address

IPsec policy
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • PFS: DH Group 14
  • Transfer protocol: ESP
  • Lifetime (s): 3600

Operation Process

Figure 2 shows the process of using the VPN service to enable communication between the data center and VPC.

Figure 2 Operation process
Table 2 Operation process description

No.

Configuration Interface

Step

Description

1

Management console

Create a VPN gateway.

Bind two EIPs to the VPN gateway.

If you have purchased EIPs, you can directly bind them to the VPN gateway.

2

Create a customer gateway.

Configure the AR router as the customer gateway.

3

Create VPN connection 1.

Create a VPN connection between the active EIP of the VPN gateway and the customer gateway.

4

Create VPN connection 2.

Create a VPN connection between the standby EIP of the VPN gateway and the customer gateway.

It is recommended that the routing mode, PSK, IKE policy, and IPsec policy settings of the two VPN connections be the same.

5

CLI of the AR router

Configuration on the AR Router
  • The local and remote interface addresses configured on the AR router must be the same as the customer and local interface addresses configured on the VPN console.
  • The routing mode, PSK, IKE policy, and IPsec policy settings on the AR router must be same as those of VPN connections.

6

-

Verification

Run the ping command to verify network connectivity.
Parent topic: Static Routing Mode