Help Center/ Virtual Private Network/ FAQs/ VPN Negotiation and Interconnection/ How Do I Configure a VPN on an On-premises Device? (Example of Configuring VPN on a Huawei USG6600 Series Firewall)
Updated on 2023-10-20 GMT+08:00
View PDF

How Do I Configure a VPN on an On-premises Device? (Example of Configuring VPN on a Huawei USG6600 Series Firewall)

VPN settings on the device in your on-premises data center must be consistent with those on the cloud. Otherwise, the VPN cannot be established.

To set up a VPN, you also need to configure an IPsec VPN tunnel on the router or firewall in your on-premises data center. The configuration method varies according to your network device in use. For details, see the configuration guide of your network device.

The following uses a Huawei USG6600 series firewall running V100R001C30SPC300 as an example to describe how to configure a VPN on an on-premises device.

Assume that the subnets of an on-premises data center are 192.168.3.0/24 and 192.168.4.0/24, and the public IP address of the IPsec tunnel egress in the on-premises data center is 1.1.1.2. The subnets of a VPC are 192.168.1.0/24 and 192.168.2.0/24, and the public IP address of the IPsec tunnel egress in the VPC is 1.1.1.1.

Procedure

  1. Log in to the command line interface (CLI) of the firewall.
  2. Check firewall version information. 
    display version 
17:20:502017/03/09
Huawei Versatile Security Platform Software
Software Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)
  3. Create an ACL. 
    acl number 3065 vpn-instance vpn64
rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
q
  4. Create an IKE proposal. 
    ike proposal 64 
dh group5 
authentication-algorithm sha1 
integrity-algorithm hmac-sha2-256 
sa duration 3600 
q
  5. Create an IKE peer and bind it to the created IKE proposal. The peer IP address is 1.1.1.1. 
    ike peer vpnikepeer_64
pre-shared-key ******** (******** indicates a pre-shared key.)
ike-proposal 64
undo version 2
remote-address vpn-instance vpn64 1.1.1.1
sa binding vpn-instance vpn64
q
  6. Configure an IPsec proposal. 
    IPsec proposal IPsecpro64
encapsulation-mode tunnel
esp authentication-algorithm sha1
q
  7. Configure an IPsec policy and bind the IPsec proposal to it. 
    IPsec policy vpnIPsec64 1 isakmp
security acl 3065
pfs dh-group5
ike-peer vpnikepeer_64
proposal IPsecpro64
local-address 1.1.1.2
q
  8. Apply the IPsec policy to the corresponding sub-interface. 
    interface GigabitEthernet0/0/2.64
IPsec policy vpnIPsec64
q
  9. Test connectivity.

    Test the connectivity between your ECS on the cloud and a host in your on-premises data center, as shown in Figure 1.

    Figure 1 Connectivity test