Configuration Guide for Connecting an H3C-SecPath Firewall (V7) to Huawei Cloud
Huawei Cloud Configuration Information
VPN gateway IP address: 11.11.11.11
Local Subnet: 192.168.10.0/24,192.168.20.0/24
Remote Gateway: 22.22.22.22
Remote Subnet: 172.16.10.0/24,172.16.20.0/24,172.16.30.0/24
Negotiation policy details:
Phase 1 policy (IKE Policy)
Authentication Algorithm: SHA2-256
Encryption Algorithm: AES-128
Version: v2
DH Algorithm: Group14
Lifetime (s): 86400
Phase 2 policy (IPsec Policy)
Transfer Protocol: ESP
Authentication Algorithm: SHA2-256
Encryption Algorithm: AES-128
PFS: DH group14
Lifetime (s): 86400
Customer-Side Device Networking and Basic Settings Assumptions
- Assume that the basic networking configuration on the customer side is as follows:
- Intranet interface: GigabitEthernet1/0/0 belongs to the Trust zone. The interface IP address is 10.0.0.1/30.
- The subnets for encryption transmission are 172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24, and they belong to the Trust zone.
- Extranet interface: GigabitEthernet1/0/1 belongs to the Untrust zone. The interface IP address is 22.22.22.22/24.
- Default route: Set destination to 0.0.0.0/0, outbound interface to GE1/0/1, and the next hop to 22.22.22.1.
- Security policy: For the access from the Trust zone to the Untrust zone, set the source address, destination address, and protocol to any, and set the action to permit.
- NAT policy: The source address is an intranet CIDR block, the destination address is ANY, and the action is Easy IP. That is, the intranet CIDR block is translated into the IP address of the interface.
- The basic settings commands are as follows:
interface GigabitEthernet1/0/0 ip address 10.0.0.1 255.255.255.252 # interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 # ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 22.22.22.1 ip route-static 172.16.10.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 ip route-static 172.16.20.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 ip route-static 172.16.30.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 # security-zone name Trust import interface GigabitEthernet1/0/0 # security-zone name Untrust import interface GigabitEthernet1/0/1 # security-policy ip rule 0 name Policy-Internet action pass logging enable counting enable source-zone Trust destination-zone Untrust # object-group ip address Customer-subnet172.16.10.0/24 0 network subnet 172.16.10.0 255.255.255.0 # object-group ip address Customer-subnet172.16.20.0/24 0 network subnet 172.16.20.0 255.255.255.0 # object-group ip address Customer-subnet172.16.30.0/24 0 network subnet 172.16.30.0 255.255.255.0 # nat policy rule name Snat_Internet source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 outbound-interface GigabitEthernet1/0/1 action easy-ip port-preserved
IPsec Configuration Guidelines
- The procedure for configuring the VPN on the web page is as follows:
Log in to the web management page of the device and choose VPN > IPsec in the navigation pane.
- Configure an IKE proposal. Select the IKE proposal, and set the authentication mode, authentication algorithm, encryption algorithm, DH, and lifetime to be the same as those configured on Huawei Cloud.
- Configure an IPsec policy.
In the basic settings area, set the role to peer/branch node, IP address type to IPv4, interface to extranet interface, local IP address to the corresponding public IP address, and peer IP address to the IP address of the Huawei Cloud gateway.
In the IKE policy, configure the same negotiation mode and pre-shared key (PSK) as Huawei. Use the created IKE proposal. Set the local ID and peer ID to IPv4 addresses and enter the corresponding public IP address.
The source address of the protected data flow is the local private CIDR block, and the destination address is the private CIDR block on Huawei Cloud.
In advanced settings of IPsec parameters, the encapsulation mode, security protocol, authentication algorithm, encryption algorithm, PFS, and TTL must be the same as those configured on Huawei Cloud. You are advised to enable DPD.
- Configure security policies. Add security policies to allow communications between the customer private CIDR block and Huawei Cloud private CIDR block. Set the service to ANY and action to pass. Pin the two security policies on top.
- Configure a NAT Policy. Add a NAT rule in which the source address is the customer intranet CIDR block and the destination address is the Huawei Cloud private CIDR block and the action is no-nat. Pin the rule on top.
- Add the mutual access rule between the local public IP address and the Huawei Cloud gateway IP address to the security policy. The protocol is UDP 500, UDP 4500, ESP, and AH. This ensures that the negotiation flow and encrypted flow data can be normally transmitted.
- Ensure that the negotiation traffic from the local public IP address to Huawei Cloud is not forwarded through NAT.
- Ensure that the route of the destination subnet is destined for the next hop of the public network outbound interface.
- Set the CIDR block of the data flow to be encrypted to the actual IP address and mask. Do not invoke the address object.
- If the customer network has multiple outbound interfaces, when the customer accesses the Huawei Cloud VPN gateway or private CIDR block, ensure that traffic is transmitted via the public network outbound interface. Use the static route configuration to select the appropriate outbound interface.
- Command configuration description:
object-group ip address HWCloud_subnet192.168.10.0/24 0 network subnet 192.168.10.0 255.255.255.0 # object-group ip address HWCloud_subnet192.168.20.0/24 0 network subnet 192.168.20.0 255.255.255.0
# Configure a phase-1 proposal. The algorithm details are the same as those of Huawei Cloud.
ikev2 proposal 100 encryption aes-cbc-128 integrity sha256 dh group14 prf sha256
# Configure the same PSKs at both ends.
ikev2 keychain IPsec-KEY peer keypeername address 11.11.11.11 255.255.255.255 pre-shared-key local plaintext ****** pre-shared-key remote plaintext ******
# Configure the IKEv2 profile, set the authentication method to PSK, and configure local address and remote identity address.
ikev2 profile IKE-PROFILE authentication-method local pre-share authentication-method remote pre-share keychain IPsec-KEY identity local address 22.22.22.22 match local address 22.22.22.22 match remote identity address 11.11.11.11 255.255.255.255 sa duration 86400
# Configure the IKE policy, which is similar to the IKE peer configuration. Invoke the IKE proposal and associate it with the interface IP address.
ikev2 policy IKE-PEER proposal 100 match local address 22.22.22.22
# Configure interesting traffic.
acl advanced 3999 rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
# Configure a phase-2 proposal.
IPsec transform-set IPsec-PH2 encapsulation-mode tunnel esp authentication-algorithm sha256 esp encryption-algorithm aes-cbc-128 pfs dh-group14
# Configure an IPsec policy by configuring the interesting traffic and phase-2 proposal.
IPsec policy IPsec-HW 1 isakmp transform-set IPsec-PH2 security acl 3999 local-address 22.22.22.22 remote-address 11.11.11.11 ikev2-profile IKE-PROFILE sa duration time-based 3600
# Bind the IPsec policy to the negotiation interface.
interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 tcp mss 1300 IPsec apply policy IPsec-HW
# Configure security policies to permit data communications between private networks at both ends and traffic between public IP addresses.
security-policy ip rule 1 name IPsec-OUT action pass logging enable counting enable source-zone Trust destination-zone Untrust source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 destination-ip HWCloud_subnet192.168.10.0/24 destination-ip HWCloud_subnet192.168.20.0/24 rule 2 name IPsec-IN action pass logging enable counting enable source-zone Untrust destination-zone Trust source-ip HWCloud_subnet192.168.10.0/24 source-ip HWCloud_subnet192.168.20.0/24 destination-ip Customer-subnet172.16.10.0/24 destination-ip Customer-subnet172.16.20.0/24 destination-ip Customer-subnet172.16.30.0/24 rule 3 name IPsec-NEG-pass action pass logging enable counting enable source-ip 11.11.11.11 255.255.255.255 source-ip 22.22.22.22 255.255.255.255 destination-ip 11.11.11.11 255.255.255.255 destination-ip 22.22.22.22 255.255.255.255 rule 0 name Policy-Internet ...
# Configure a NAT policy in which action is set to no-nat to ensure that the local subnets can access the Huawei Cloud subnets.
nat policy rule name IPsec_NONAT source-ip Customer-subnet172.16.10.0/24 source-ip Customer-subnet172.16.20.0/24 source-ip Customer-subnet172.16.30.0/24 destination-ip HWCloud_subnet192.168.10.0/24 destination-ip HWCloud_subnet192.168.20.0/24 outbound-interface GigabitEthernet1/0/1 action no-nat rule name Snat_Internet ...
# Configure route. The route for accessing the Huawei Cloud subnet is routed out of the public network interface.
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 B.B.B.1 ...
- Description of differentiated configurations when IKEv1 is used for negotiation:
#If IKEv1 is used, the algorithms are as follows.
ike proposal 100 authentication-algorithm sha256 encryption-algorithm aes-cbc-128 authentication-method pre-share dh group14 sa duration 86400
#If IKEv1 is used, run the following commands to configure the PSK for IKE negotiation:
ike keychain IPsec-KEY pre-shared-key address 11.11.11.11 255.255.255.255 key simple *******
# If IKEv1 is used, exchange-mode is added, the phase-1 proposal is directly invoked, and you do not need to configure the IKE policy separately.
ike profile IKE-PROFILE keychain IPsec-KEY local-identity address 22.22.22.22 exchange-mode main //aggressive dpd interval 3 periodic match remote identity address 11.11.11.11 255.255.255.255 match local address 22.22.22.22 proposal 100
Function Verification
After a VPN connection is configured, the cloud does not automatically trigger tunnel establishment. Instead, data flows are required to trigger negotiation.
Triggering method: Use data flows between private networks to trigger a VPN connection. For example, use a host on 192.168.10.0/24 to ping a host on 172.16.10.0/24, or the other way around.
Tunnel negotiation is not triggered when a private IP address pings the IP address of the peer public gateway. For example, when a host 172.16.10.0/24 pings 11.11.11.11, tunnel establishment is not triggered.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot