Updated on 2023-10-20 GMT+08:00

Step 5: Configuring the Customer Gateway Device

Procedure

In this example, the customer gateway device is a Huawei AR router. For more examples of configuring customer gateway devices, see Administrator Guide.

  1. Log in to the AR router.
  2. Enter the system view.

    <AR651>system-view

  3. Configure an IP address for the WAN interface. In this example, the WAN interface of the AR router is GigabitEthernet 0/0/8.

    [AR651]interface GigabitEthernet 0/0/8

    [AR651-GigabitEthernet0/0/8]ip address 22.xx.xx.22 255.255.255.0

    [AR651-GigabitEthernet0/0/8]quit

  4. Configure a default route.

    [AR651]ip route-static 0.0.0.0 0.0.0.0 22.xx.xx.1

    In this command, 22.xx.xx.1 is the gateway address of the AR router's public IP address. Replace it with the actual gateway address.

  5. Enable the SHA-2 algorithm to be compatible with the standard RFC algorithms.

    [AR651]IPsec authentication sha2 compatible enable

  6. Configure an IPsec proposal.

    [AR651]IPsec proposal hwproposal1

    [AR651-IPsec-proposal-hwproposal1]esp authentication-algorithm sha2-256

    [AR651-IPsec-proposal-hwproposal1]esp encryption-algorithm aes-128

    [AR651-IPsec-proposal-hwproposal1]quit

  7. Configure an IKE proposal.

    [AR651]ike proposal 2

    [AR651-ike-proposal-2]encryption-algorithm aes-128

    [AR651-ike-proposal-2]dh group15

    [AR651-ike-proposal-2]authentication-algorithm sha2-256

    [AR651-ike-proposal-2]authentication-method pre-share

    [AR651-ike-proposal-2]integrity-algorithm hmac-sha2-256

    [AR651-ike-proposal-2]prf hmac-sha2-256

    [AR651-ike-proposal-2]quit

  8. Configure IKE peers.

    [AR651]ike peer hwpeer1

    [AR651-ike-peer-hwpeer1]undo version 1

    [AR651-ike-peer-hwpeer1]pre-shared-key cipher Test@123

    [AR651-ike-peer-hwpeer1]ike-proposal 2

    [AR651-ike-peer-hwpeer1]local-address 22.xx.xx.22

    [AR651-ike-peer-hwpeer1]remote-address 11.xx.xx.11

    [AR651-ike-peer-hwpeer1]rsa encryption-padding oaep

    [AR651-ike-peer-hwpeer1]rsa signature-padding pss

    [AR651-ike-peer-hwpeer1]ikev2 authentication sign-hash sha2-256

    [AR651-ike-peer-hwpeer1]quit

    #

    [AR651]ike peer hwpeer2

    [AR651-ike-peer-hwpeer2]undo version 1

    [AR651-ike-peer-hwpeer2]pre-shared-key cipher Test@123

    [AR651-ike-peer-hwpeer2]ike-proposal 2

    [AR651-ike-peer-hwpeer2]local-address 22.xx.xx.22

    [AR651-ike-peer-hwpeer2]remote-address 11.xx.xx.12

    [AR651-ike-peer-hwpeer2]rsa encryption-padding oaep

    [AR651-ike-peer-hwpeer2]rsa signature-padding pss

    [AR651-ike-peer-hwpeer2]ikev2 authentication sign-hash sha2-256

    [AR651-ike-peer-hwpeer2]quit

    The commands are described as follows:

    • pre-shared-key cipher: configures a PSK, which must be the same as that configured on the VPN console.
    • local-address: specifies the public IP address of the AR router.
    • remote-address: specifies the active EIP or active EIP 2 of the VPN gateway.

  9. Configure an IPsec profile.

    [AR651]IPsec profile hwpro1

    [AR651-IPsec-profile-hwpro1]ike-peer hwpeer1

    [AR651-IPsec-profile-hwpro1]proposal hwproposal1

    [AR651-IPsec-profile-hwpro1]pfs dh-group15

    [AR651-IPsec-profile-hwpro1]quit

    #

    [AR651]IPsec profile hwpro2

    [AR651-IPsec-profile-hwpro2]ike-peer hwpeer2

    [AR651-IPsec-profile-hwpro2]proposal hwproposal1

    [AR651-IPsec-profile-hwpro2]pfs dh-group15

    [AR651-IPsec-profile-hwpro2]quit

  10. Configure virtual tunnel interfaces.

    [AR651]interface Tunnel0/0/1

    [AR651-Tunnel0/0/1]mtu 1400

    [AR651-Tunnel0/0/1]ip address 169.254.70.1 255.255.255.252

    [AR651-Tunnel0/0/1]tunnel-protocol IPsec

    [AR651-Tunnel0/0/1]source 22.xx.xx.22

    [AR651-Tunnel0/0/1]destination 11.xx.xx.11

    [AR651-Tunnel0/0/1]IPsec profile hwpro1

    [AR651-Tunnel0/0/1]quit

    #

    [AR651]interface Tunnel0/0/2

    [AR651-Tunnel0/0/2]mtu 1400

    [AR651-Tunnel0/0/2]ip address 169.254.71.1 255.255.255.252

    [AR651-Tunnel0/0/2]tunnel-protocol IPsec

    [AR651-Tunnel0/0/2]source 22.xx.xx.22

    [AR651-Tunnel0/0/2]destination 11.xx.xx.12

    [AR651-Tunnel0/0/2]IPsec profile hwpro2

    [AR651-Tunnel0/0/2]quit

    The commands are described as follows:

    • interface Tunnel0/0/1 and interface Tunnel0/0/2: indicate the tunnel interfaces corresponding to the two VPN connections.

      In this example, Tunnel0/0/1 establishes a VPN connection with the active EIP of the VPN gateway, and Tunnel0/0/2 establishes a VPN connection with active EIP 2 of the VPN gateway.

    • ip address: configures an IP address for a tunnel interface on the AR router.
    • source: specifies the public IP address of the AR router.
    • destination: specifies the active EIP or active EIP 2 of the VPN gateway.

  11. Configure NQA.

    [AR651]nqa test-instance IPsec_nqa1 IPsec_nqa1

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]test-type icmp

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]destination-address ipv4 169.254.70.2

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]source-address ipv4 169.254.70.1

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]frequency 15

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]ttl 255

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]start now

    [AR651-nqa-IPsec_nqa1-IPsec_nqa1]quit

    #

    [AR651]nqa test-instance IPsec_nqa2 IPsec_nqa2

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]test-type icmp

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]destination-address ipv4 169.254.71.2

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]source-address ipv4 169.254.71.1

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]frequency 15

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]ttl 255

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]start now

    [AR651-nqa-IPsec_nqa2-IPsec_nqa2]quit

    The commands are described as follows:

    • nqa test-instance IPsec_nqa1 IPsec_nqa1 and nqa test-instance IPsec_nqa2 IPsec_nqa2: configure two NQA test instances named IPsec_nqa1 and IPsec_nqa2.

      In this example, the test instance IPsec_nqa1 is created for the VPN connection to which the active EIP of the VPN gateway belongs; the test instance IPsec_nqa2 is created for the VPN connection to which active EIP 2 of the VPN gateway belongs.

    • destination-address: specifies the tunnel interface address of the VPN gateway.
    • source-address: specifies the tunnel interface address of the AR router.

  12. Configure association between the static route and NQA.

    [AR651]ip route-static 192.168.0.0 255.255.255.0 Tunnel0/0/1 track nqa IPsec_nqa1 IPsec_nqa1

    [AR651]ip route-static 192.168.0.0 255.255.255.0 Tunnel0/0/2 track nqa IPsec_nqa2 IPsec_nqa2

    The parameters are described as follows:

    • 192.168.0.0 indicates the local subnet of the VPC.
    • Tunnelx and IPsec_nqax in the same command correspond to the same VPN connection.

Verification

  1. Log in to the management console.
  2. Click Service List and choose Networking > Virtual Private Network.
  3. Choose Virtual Private Network > Enterprise – VPN Connections. Verify that the states of the two VPN connections are both Available.