Help Center> Virtual Private Network> Administrator Guide> Classic VPN> Appendixes> Configuration Guide for Connecting an H3C-SecPath Firewall (V7) to Huawei Cloud

Updated on 2023-06-16 GMT+08:00

View PDF

Configuration Guide for Connecting an H3C-SecPath Firewall (V7) to Huawei Cloud

Huawei Cloud Configuration Information

VPN gateway IP address: 11.11.11.11

Local Subnet: 192.168.10.0/24,192.168.20.0/24

Remote Gateway: 22.22.22.22

Remote Subnet: 172.16.10.0/24,172.16.20.0/24,172.16.30.0/24

Negotiation policy details:

Phase 1 policy (IKE Policy)

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

Version: v2

DH Algorithm: Group14

Lifetime (s): 86400

Phase 2 policy (IPsec Policy)

Transfer Protocol: ESP

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

PFS: DH group14

Lifetime (s): 86400

Customer-Side Device Networking and Basic Settings Assumptions

Assume that the basic networking configuration on the customer side is as follows:
- Intranet interface: GigabitEthernet1/0/0 belongs to the Trust zone. The interface IP address is 10.0.0.1/30.
- The subnets for encryption transmission are 172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24, and they belong to the Trust zone.
- Extranet interface: GigabitEthernet1/0/1 belongs to the Untrust zone. The interface IP address is 22.22.22.22/24.
- Default route: Set destination to 0.0.0.0/0, outbound interface to GE1/0/1, and the next hop to 22.22.22.1.
- Security policy: For the access from the Trust zone to the Untrust zone, set the source address, destination address, and protocol to any, and set the action to permit.
- NAT policy: The source address is an intranet CIDR block, the destination address is ANY, and the action is Easy IP. That is, the intranet CIDR block is translated into the IP address of the interface.

The basic settings commands are as follows:

interface GigabitEthernet1/0/0 
ip address 10.0.0.1 255.255.255.252 
# 
interface GigabitEthernet1/0/1 
ip address 22.22.22.22 255.255.255.0 
# 
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 22.22.22.1
ip route-static 172.16.10.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2
ip route-static 172.16.20.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2
ip route-static 172.16.30.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 
# 
security-zone name Trust 
import interface GigabitEthernet1/0/0 
# 
security-zone name Untrust 
import interface GigabitEthernet1/0/1 
# 
security-policy ip 
rule 0 name Policy-Internet 
  action pass  
  logging enable 
  counting enable 
  source-zone Trust 
  destination-zone Untrust 
# 
object-group ip address Customer-subnet172.16.10.0/24
0 network subnet 172.16.10.0 255.255.255.0 
# 
object-group ip address Customer-subnet172.16.20.0/24
0 network subnet 172.16.20.0 255.255.255.0 
# 
object-group ip address Customer-subnet172.16.30.0/24
0 network subnet 172.16.30.0 255.255.255.0 
# 
nat policy 
rule name Snat_Internet 
  source-ip Customer-subnet172.16.10.0/24
  source-ip Customer-subnet172.16.20.0/24
  source-ip Customer-subnet172.16.30.0/24
  outbound-interface GigabitEthernet1/0/1 
  action easy-ip port-preserved

IPsec Configuration Guidelines

The procedure for configuring the VPN on the web page is as follows:
Log in to the web management page of the device and choose VPN > IPsec in the navigation pane.
1. Configure an IKE proposal. Select the IKE proposal, and set the authentication mode, authentication algorithm, encryption algorithm, DH, and lifetime to be the same as those configured on Huawei Cloud.
2. Configure an IPsec policy.
  In the basic settings area, set the role to peer/branch node, IP address type to IPv4, interface to extranet interface, local IP address to the corresponding public IP address, and peer IP address to the IP address of the Huawei Cloud gateway.
  
  In the IKE policy, configure the same negotiation mode and pre-shared key (PSK) as Huawei. Use the created IKE proposal. Set the local ID and peer ID to IPv4 addresses and enter the corresponding public IP address.
  
  The source address of the protected data flow is the local private CIDR block, and the destination address is the private CIDR block on Huawei Cloud.
  
  In advanced settings of IPsec parameters, the encapsulation mode, security protocol, authentication algorithm, encryption algorithm, PFS, and TTL must be the same as those configured on Huawei Cloud. You are advised to enable DPD.
3. Configure security policies. Add security policies to allow communications between the customer private CIDR block and Huawei Cloud private CIDR block. Set the service to ANY and action to pass. Pin the two security policies on top.
4. Configure a NAT Policy. Add a NAT rule in which the source address is the customer intranet CIDR block and the destination address is the Huawei Cloud private CIDR block and the action is no-nat. Pin the rule on top.
- Add the mutual access rule between the local public IP address and the Huawei Cloud gateway IP address to the security policy. The protocol is UDP 500, UDP 4500, ESP, and AH. This ensures that the negotiation flow and encrypted flow data can be normally transmitted.
- Ensure that the negotiation traffic from the local public IP address to Huawei Cloud is not forwarded through NAT.
- Ensure that the route of the destination subnet is destined for the next hop of the public network outbound interface.
- Set the CIDR block of the data flow to be encrypted to the actual IP address and mask. Do not invoke the address object.
- If the customer network has multiple outbound interfaces, when the customer accesses the Huawei Cloud VPN gateway or private CIDR block, ensure that traffic is transmitted via the public network outbound interface. Use the static route configuration to select the appropriate outbound interface.

Command configuration description:

# Add address sets.

object-group ip address HWCloud_subnet192.168.10.0/24
0 network subnet 192.168.10.0 255.255.255.0 
# 
object-group ip address HWCloud_subnet192.168.20.0/24
0 network subnet 192.168.20.0 255.255.255.0

# Configure a phase-1 proposal. The algorithm details are the same as those of Huawei Cloud.

ikev2 proposal 100
    encryption aes-cbc-128
    integrity sha256
    dh group14
    prf sha256

# Configure the same PSKs at both ends.

ikev2 keychain IPsec-KEY
    peer keypeername
        address 11.11.11.11 255.255.255.255
        pre-shared-key local plaintext ******
        pre-shared-key remote plaintext ******

# Configure the IKEv2 profile, set the authentication method to PSK, and configure local address and remote identity address.

ikev2 profile IKE-PROFILE
    authentication-method local pre-share
    authentication-method remote pre-share
    keychain IPsec-KEY
    identity local address 22.22.22.22
    match local address 22.22.22.22
    match remote identity address 11.11.11.11 255.255.255.255
    sa duration 86400

# Configure the IKE policy, which is similar to the IKE peer configuration. Invoke the IKE proposal and associate it with the interface IP address.

ikev2 policy IKE-PEER
    proposal 100
    match local address 22.22.22.22

# Configure interesting traffic.

acl advanced 3999
    rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
	rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
	rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
    rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
	rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
	rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

# Configure a phase-2 proposal.

IPsec transform-set IPsec-PH2
    encapsulation-mode tunnel
    esp authentication-algorithm sha256
    esp encryption-algorithm aes-cbc-128
    pfs dh-group14

# Configure an IPsec policy by configuring the interesting traffic and phase-2 proposal.

IPsec policy IPsec-HW 1 isakmp
    transform-set IPsec-PH2
    security acl 3999
    local-address 22.22.22.22
    remote-address 11.11.11.11
    ikev2-profile IKE-PROFILE
    sa duration time-based 3600

# Bind the IPsec policy to the negotiation interface.

interface GigabitEthernet1/0/1
    ip address 22.22.22.22 255.255.255.0
    tcp mss 1300
    IPsec apply policy IPsec-HW

# Configure security policies to permit data communications between private networks at both ends and traffic between public IP addresses.

security-policy ip 
rule 1 name IPsec-OUT 
  action pass  
  logging enable 
  counting enable 
  source-zone Trust 
  destination-zone Untrust 
  source-ip Customer-subnet172.16.10.0/24
  source-ip Customer-subnet172.16.20.0/24
  source-ip Customer-subnet172.16.30.0/24
  destination-ip HWCloud_subnet192.168.10.0/24
  destination-ip HWCloud_subnet192.168.20.0/24
rule 2 name IPsec-IN 
  action pass 
  logging enable 
  counting enable 
  source-zone Untrust 
  destination-zone Trust 
  source-ip HWCloud_subnet192.168.10.0/24
  source-ip HWCloud_subnet192.168.20.0/24
  destination-ip Customer-subnet172.16.10.0/24
  destination-ip Customer-subnet172.16.20.0/24
  destination-ip Customer-subnet172.16.30.0/24
rule 3 name IPsec-NEG-pass 
  action pass 
  logging enable 
  counting enable 
  source-ip 11.11.11.11 255.255.255.255
  source-ip 22.22.22.22 255.255.255.255
  destination-ip 11.11.11.11 255.255.255.255
  destination-ip 22.22.22.22 255.255.255.255
rule 0 name Policy-Internet
...

# Configure a NAT policy in which action is set to no-nat to ensure that the local subnets can access the Huawei Cloud subnets.

nat policy 
rule name IPsec_NONAT 
  source-ip Customer-subnet172.16.10.0/24
  source-ip Customer-subnet172.16.20.0/24
  source-ip Customer-subnet172.16.30.0/24
  destination-ip HWCloud_subnet192.168.10.0/24
  destination-ip HWCloud_subnet192.168.20.0/24
  outbound-interface GigabitEthernet1/0/1 
  action no-nat 
rule name Snat_Internet
...

# Configure route. The route for accessing the Huawei Cloud subnet is routed out of the public network interface.

ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 B.B.B.1
...

Description of differentiated configurations when IKEv1 is used for negotiation:

#If IKEv1 is used, the algorithms are as follows.

ike proposal 100
    authentication-algorithm sha256
    encryption-algorithm aes-cbc-128	
    authentication-method pre-share	
    dh group14
    sa duration 86400

#If IKEv1 is used, run the following commands to configure the PSK for IKE negotiation:

ike keychain IPsec-KEY
    pre-shared-key address 11.11.11.11 255.255.255.255 key simple *******

# If IKEv1 is used, exchange-mode is added, the phase-1 proposal is directly invoked, and you do not need to configure the IKE policy separately.

ike profile IKE-PROFILE
    keychain IPsec-KEY
    local-identity address 22.22.22.22
    exchange-mode main	 //aggressive
	dpd interval 3 periodic
    match remote identity address 11.11.11.11 255.255.255.255
    match local address 22.22.22.22
    proposal 100

Function Verification

After a VPN connection is configured, the cloud does not automatically trigger tunnel establishment. Instead, data flows are required to trigger negotiation.

Triggering method: Use data flows between private networks to trigger a VPN connection. For example, use a host on 192.168.10.0/24 to ping a host on 172.16.10.0/24, or the other way around.

Tunnel negotiation is not triggered when a private IP address pings the IP address of the peer public gateway. For example, when a host 172.16.10.0/24 pings 11.11.11.11, tunnel establishment is not triggered.

Parent topic: Appendixes

Previous topic: Appendixes

Next topic: Configuration Guide for Interconnecting an HW-USG Firewall (V5) with Huawei Cloud