Help Center> Virtual Private Network> Administrator Guide> Interconnection with a Huawei AR Router (Active-Active Connections)> Static Routing Mode> Operation Guide
Updated on 2024-02-29 GMT+08:00
View PDF

Operation Guide

Scenario

Figure 1 shows the typical networking where a VPN gateway connects to a Huawei access router (AR) in an on-premises data center in static routing mode.

Figure 1 Typical networking diagram

In this scenario, the AR router has only one IP address, and the VPN gateway uses the active-active mode. A VPN connection is created between each of the two active EIPs of the VPN gateway and the IP address of the AR router.

Limitations and Constraints

VPN and AR routers support different authentication and encryption algorithms. When creating connections, ensure that the policy settings at both ends are the same.

Data Plan

Table 1 Data plan

Category

Item

Example of AR Router Planning

Example of Cloud-Side Planning

VPC

Subnet

172.16.0.0/16
  • 192.168.0.0/24
  • 192.168.1.0/24

VPN gateway

Gateway IP address

1.1.1.1 (IP address of the uplink public network interface GE0/0/8 on the AR router)
  • Active EIP: 1.1.1.2
  • Active EIP 2: 2.2.2.2

Interconnection subnet

-

192.168.2.0/24

VPN connection

Tunnel interface address
  • VPN connection 1: 169.254.70.1/30
  • VPN connection 2: 169.254.71.1/30
  • VPN connection 1: 169.254.70.2/30
  • VPN connection 2: 169.254.71.2/30

IKE policy
  • IKE version: IKEv2
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • DH algorithm: Group 14
  • Lifetime (s): 86400
  • Local ID: IP address
  • Peer ID: IP address

IPsec policy
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • PFS: DH group 14
  • Transfer protocol: ESP
  • Lifetime (s): 3600

Operation Process

Figure 2 shows the process of using the VPN service to enable communication between the data center and VPC.

Figure 2 Operation process
Table 2 Operation process description

No.

Configuration Interface

Step

Description

1

Management console

Create a VPN gateway.

Bind two EIPs to the VPN gateway.

If you have purchased EIPs, you can directly bind them to the VPN gateway.

2

Create a customer gateway.

Configure the AR router as the customer gateway.

3

Create VPN connection 1.

Create a VPN connection between the active EIP of the VPN gateway and the customer gateway.

4

Create VPN connection 2.

Create a VPN connection between active EIP 2 of the VPN gateway and the customer gateway.

It is recommended that the connection mode, PSK, IKE policy, and IPsec policy settings of the two VPN connections be the same.

5

Command-line interface (CLI) of the AR router

Configure the AR router.
  • The local and remote tunnel interface addresses configured on the AR router must be the same as the customer and local tunnel interface addresses configured on the VPN console, respectively.
  • The connection mode, PSK, IKE policy, and IPsec policy settings on the AR router must be same as those of VPN connections.

6

-

Verify network connectivity.

Run the ping command to verify network connectivity.
Parent topic: Static Routing Mode