Configuration Guide for Interconnecting an HW-USG Firewall (V5) with Huawei Cloud

Huawei Cloud Configuration Information

VPN gateway IP address: 11.11.11.11

Local Subnet: 192.168.10.0/24,192.168.20.0/24

Remote Gateway: 22.22.22.22

Remote Subnet: 172.16.10.0/24,172.16.20.0/24,172.16.30.0/24

Negotiation policy details:

Phase 1 policy (IKE Policy)

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

Version: v2

DH Algorithm: Group14

Lifetime (s): 86400

Phase 2 policy (IPsec Policy)

Transfer Protocol: ESP

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

PFS: DH group14

Lifetime (s): 86400

Customer-Side Device Networking and Basic Settings Assumptions

1. Assume that the basic networking configuration on the customer side is as follows:

Intranet interface: GigabitEthernet1/0/0 belongs to the Trust zone. The interface IP address is 10.0.0.1/30.

The subnets for encryption transmission are 172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24, and they belong to the Trust zone.

Extranet interface: GigabitEthernet1/0/1 belongs to the Untrust zone. The interface IP address is 22.22.22.22/24.

Default route: Set destination to 0.0.0.0/0, outbound interface to GE1/0/1, and the next hop to 22.22.22.1.

Security policy: For the access from the Trust zone to the Untrust zone, set the source address, destination address, and protocol to any, and set the action to permit.

NAT policy: The source address is an intranet CIDR block, the destination address is ANY, and the action is Easy IP. That is, the intranet CIDR block is translated into the IP address of the interface.

2. The basic settings commands are as follows:

   interface GigabitEthernet1/0/0 
   ip address 10.0.0.1 255.255.255.252 
   # 
   interface GigabitEthernet1/0/1 
   ip address 22.22.22.22 255.255.255.0 
   # 
   ip route-static 0.0.0.0 0.0.0.0 22.22.22.1
   ip route-static 172.16.10.0 255.255.255.0 10.0.0.2
   ip route-static 172.16.20.0 255.255.255.0 10.0.0.2
   ip route-static 172.16.30.0 255.255.255.0 10.0.0.2 
   # 
   firewall zone trust 
   set priority 85 
   import interface GigabitEthernet1/0/0 
   # 
   firewall zone untrust 
   set priority 5
   import interface GigabitEthernet1/0/1 
   #
   ip address-set Customer-subnet172.16.10.0/24 type object 
   address 0 172.16.10.0 mask 24  
   # 
   ip address-set Customer-subnet172.16.20.0/24 type object 
   address 0 172.16.20.0 mask 24  
   # 
   ip address-set Customer-subnet172.16.30.0/24 type object 
   address 0 172.16.30.0 mask 24 
   # 
   security-policy 
   rule name Policy-Internet 
     policy logging 
     session logging 
     source-zone trust 
     destination-zone untrust 
     action permit 
   # 
   nat-policy 
   rule name Snat_Internet 
     source-zone trust 
     egress-interface GigabitEthernet1/0/1 
     action nat easy-ip

IPsec Configuration Guidelines

1. The procedure for configuring the VPN on the web page is as follows:

   Log in to the web management page, choose Network > IPsec, and create an IPsec policy.

   1. Basic settings: Configure a naming policy. Set the outbound interface to the local interface, local address to the public IP address of the outbound interface, peer address to the IP address of the Huawei Cloud VPN gateway, authentication mode to pre-shared key, key information to be the same as that configured on Huawei Cloud, and local and peer IDs to IP addresses.
   2. To-be-encrypted data flow: Create ACL rules. The source address is the customer subnets, and the destination address is the Huawei Cloud subnets. Enter multiple subnets separately. The number of entries is the product of the number of subnets at both ends. Set the protocol to any and the action to permit.
   3. Security proposal: The IKE and IPsec parameter settings, including the IKE version must be the same as those on Huawei Cloud. You are advised to enable periodic DPD.
   4. Security policy: Add two security policies to allow communications between the customer private CIDR block and Huawei Cloud private CIDR block. Set the service to ANY and action to permit. Pin the two security policies on top.
   5. NAT Policy. Add a NAT rule in which the source address is the customer intranet CIDR block and the destination address is the Huawei Cloud private CIDR block and the action is no-nat. Pin the rule on top.
   

   • Add the mutual access rule between the local public IP address and the Huawei Cloud gateway IP address to the security policy. The protocol is UDP 500, UDP 4500, ESP, and AH. This ensures that the negotiation flow and encrypted flow data can be normally transmitted.
   • Ensure that the negotiation traffic from the local public IP address to Huawei Cloud is not forwarded through NAT.
   • Ensure that the route of the destination subnet is destined for the next hop of the public network outbound interface.
   • Set the CIDR block of the data flow to be encrypted to the actual IP address and mask. Do not invoke the address object.
   • If the customer network has multiple outbound interfaces, when the customer accesses the Huawei Cloud VPN gateway or private CIDR block, ensure that traffic is transmitted via the public network outbound interface. Use the static route configuration to select the appropriate outbound interface.
2. Command configuration description:

   # Add address sets.

   ip address-set HWCloud_subnet192.168.10.0/24 type object
   address 0 192.168.10.0 mask 24
   #
   ip address-set HWCloud_subnet192.168.20.0/24 type object
   address 0 192.168.20.0 mask 24

   # Configure the IKE proposal. The configuration methods of IKEv1 and IKEv2 are the same. IKEv1 uses authentication and encryption, and IKEv2 uses encryption, integrity, and PRF.

   ike proposal 100
   authentication-algorithm sha2-256
   encryption-algorithm aes-128
   authentication-method pre-share
   integrity-algorithm hmac-sha2-256
   prf hmac-sha2-256
   dh group14
   sa duration 86400

   #Set IKE peer version to IKEv2, and configure the IKE proposal. (If you set IKE peer version to IKEv1, exchange-mode needs to be configured.)

   ike peer IKE-PEER
   undo version 1
   pre-shared-key ******
   ike-proposal 100
   remote-address 11.11.11.11
   dpd type periodic

   # Configure interesting traffic.

   acl number 3999
   rule 0 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
   rule 1 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
   rule 2 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
   rule 4 permit ip source 172.16.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
   rule 5 permit ip source 172.16.20.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
   rule 6 permit ip source 172.16.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

   # Configure a phase-2 proposal.

   IPsec proposal IPsec-PH2
   transform esp
   encapsulation-mode tunnel
   esp authentication-algorithm sha2-256
   esp encryption-algorithm aes-128

   #Configure the IPsec policy by specifying the IKE peer, IPsec proposal, and ACL. Set the same PFS as that on Huawei Cloud.

   IPsec policy IPsec-HW 1 isakmp
   proposal IPsec-PH2
   security acl 3999
   ike-peer IKE-PEER
   tunnel local 22.22.22.22
   pfs dh-group14
   sa duration time-based 3600

   # Set tcp-mss and it will take effect globally.

   firewall tcp-mss 1300
   # Bind the IPsec policy to an interface.
   interface GigabitEthernet1/0/1
   ip address B.B.B.Y 255.255.255.0
   IPsec apply policy IPsec-HW
   #
   security-policy
   rule name IPsec-OUT
   policy logging
   session logging
   source-zone trust
   destination-zone untrust
   source-address address-set Customer-subnet172.16.10.0/24
   source-address address-set Customer-subnet172.16.20.0/24
   source-address address-set Customer-subnet172.16.30.0/24
   destination-address address-set HWCloud_subnet192.168.10.0/24
   destination-address address-set HWCloud_subnet192.168.20.0/24
   action permit
   rule name IPsec-IN
   policy logging
   session logging
   source-zone untrust
   destination-zone trust
   source-address address-set HWCloud_subnet192.168.10.0/24
   source-address address-set HWCloud_subnet192.168.20.0/24
   destination-address address-set Customer-subnet172.16.10.0/24
   destination-address address-set Customer-subnet172.16.20.0/24
   destination-address address-set Customer-subnet172.16.30.0/24
   action permit
   rule name IPsec-NEG-pass
   logging enable
   counting enable
   source-ip 11.11.11.11 255.255.255.255
   source-ip 22.22.22.22 255.255.255.255
   destination-ip 11.11.11.11 255.255.255.255
   destination-ip 22.22.22.22 255.255.255.255
   action permit
   rule name Policy-Internet
   ...
   #
   nat policy
   rule name IPsec_NONAT
   description IPsec_NONAT
   source-zone trust
   destination-zone untrust
   source-address address-set Customer-subnet172.16.10.0/24
   source-address address-set Customer-subnet172.16.20.0/24
   source-address address-set Customer-subnet172.16.30.0/24
   destination-address address-set HWCloud_subnet192.168.10.0/24
   destination-address address-set HWCloud_subnet192.168.20.0/24
   action no-nat
   rule name Snat_Internet
   ...

   # Configure route. The route for accessing the Huawei Cloud subnet is routed out of the public network interface.

   ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 22.22.22.1

Function Verification

After a VPN connection is configured, the cloud does not automatically trigger tunnel establishment. Instead, data flows are required to trigger negotiation.

Triggering method: Use data flows between private networks to trigger a VPN connection. For example, use a host on 192.168.10.0/24 to ping a host on 172.16.10.0/24, or the other way around.

Tunnel negotiation is not triggered when a private IP address pings the IP address of the peer public gateway. For example, when a host 172.16.10.0/24 pings 11.11.11.11, tunnel establishment is not triggered.