Configuration Guide for Connecting a Hillstone-G Firewall (V5.5) to Huawei Cloud

Huawei Cloud Configuration Information

VPN gateway IP address: 11.11.11.11

Local Subnet: 192.168.10.0/24,192.168.20.0/24

Remote Gateway: 22.22.22.22

Remote Subnet: 172.16.10.0/24,172.16.20.0/24,172.16.30.0/24

Negotiation policy details:

Phase 1 policy (IKE Policy)

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

Version: v1

DH Algorithm: Group14

Lifetime (s): 86400

Exchange-mode: main

Phase 2 policy (IPsec Policy)

Transfer Protocol: ESP

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

PFS: DH group14

Lifetime (s): 86400

Customer-Side Device Networking and Basic Settings Assumptions

Intranet interface: ethnet0/0 belongs to the Trust zone. The interface IP address is b.b.b.1/24.

Extranet interface: ethnet0/1 belongs to the Untrust zone. The interface IP address is B.B.B.Y/24.

Default route: Set destination to 0.0.0.0/0, outbound interface to ethnet0/1, and the next hop to the gateway IP address, such as B.B.B.1.

Security policy: For the access from the Trust zone to the Untrust zone, set the source address, destination address, and protocol to any, and set the action to permit.

NAT policy: The source address is intranet CIDR block. The destination address is ANY. Translate the intranet CIDR block to the IP address of the outbound interface.

VPN Configuration Procedure

Log in to the web management page of the device. In the navigation pane, choose VPN > IPsec VPN.

1. Configure the P1 proposal: Enter the proposal name, set the authentication mode to Pre-share, and configure parameters such as the authentication algorithm, encryption algorithm, and DH group. For details about the parameters, see Huawei Cloud Configuration Information.
2. Configure the phase-2 proposal. Specify parameters such as the proposal name, protocol, authentication algorithm, encryption algorithm, and PFS. For details about the parameters, see Huawei Cloud Configuration Information. Disable compression and TTL.
3. Configure the VPN peer list.
   1. Basic settings: Enter the name, select ethnet0/1, select the protocol standard (only V1 is supported), and configure the authentication mode. Set type to static IP, peer IP address to 11.11.11.11, the IP address of the Huawei Cloud VPN gateway, and local ID to IPv4 22.22.22.22, invoke the configured phase-1 proposal and enter the same PSK as that on Huawei Cloud.
   2. Advanced settings: Set connection type to bidirectional, enable NAT traversal, and enable DPD. Retain the default values of DPD interval and retry time, and disable the XAUTH server.
4. Configure the IKE VPN list.
   1. Basic settings:

      Peer: Use the existing configuration of the peer list.

      Tunnel: Enter the name, set mode to tunnel, invoke the P2 proposal, and set Proxy ID to manual. That is, configure interesting traffic in the format of IP address+mask. The number of configured entries is the product of the number of local subnets and the number of remote subnets.

   2. Advanced settings: Retain the default settings. You can enable VPN tunnel detection. The source address is the local private IP address and the destination address is the private IP address of Huawei Cloud. (Select an available address.)
5. Configure interfaces.
   1. In the navigation pane, choose security zone, and create a VPN security zone. Name it VPN, and set the type to layer-3 security zone.
   2. In the navigation pane, choose interface, and create a tunnel interface. Specify the interface name, number, and security zone. (Add the interface to the newly-created VPN security zone). Set IP address to static IP and do not specify IP information. Set tunnel type to IPsec VPN and bind the tunnel to the created IKE VPN list.

6. Security policy: Create the following security policies and pin them on top.
   1. Set source zone to trust, destination zone to VPN, service to any, and action to permit.
   2. Set source zone to VPN, destination zone to trust, service to any, and action to permit.

7. Set the destination of the route to the Huawei Cloud private network (192.168.10.0/24, 192.168.20.0/24), set the next hop to interface, and set the interface to the tunnel interface used by the VPN.

• Add the mutual access rule between the local public IP address and the Huawei Cloud gateway IP address to the security policy. The protocol is UDP 500, UDP 4500, ESP, and AH. This ensures that the negotiation flow and encrypted flow data can be normally transmitted.
• Set the CIDR block of the data flow to be encrypted (proxy ID) to the actual IP address and mask. Do not invoke the address sets.
• If the customer network has multiple outbound interfaces, when the customer accesses the Huawei Cloud VPN gateway or private CIDR block, ensure that traffic is transmitted via the public network outbound interface. Use the static route configuration to select the appropriate outbound interface.

Function Verification

After the VPN connection is configured, if active connection is selected for the Sangfor device, the Sangfor device initiates a negotiation. Huawei Cloud does not proactively trigger tunnel establishment.

Triggered by Huawei Cloud: Use data flows between private networks to trigger a VPN connection. For example, use a host on 192.168.10.0/24 to ping a host on 172.16.10.0/24, or the other way around.

Tunnel negotiation is not triggered when a private IP address pings the IP address of the peer public gateway. For example, when a host 172.16.10.0/24 pings 11.11.11.11, tunnel establishment is not triggered.