Configuration Guide for Interconnecting Sangfor-SSL-M7.6 with Huawei Cloud

Huawei Cloud Configuration Information

VPN gateway IP address: 11.11.11.11

Local Subnet: 192.168.10.0/24,192.168.20.0/24

Remote Gateway: 22.22.22.22

Remote Subnet: 172.16.10.0/24,172.16.20.0/24,172.16.30.0/24

Negotiation policy details:

Phase 1 policy (IKE Policy)

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

Version: v1

DH Algorithm: Group14

Lifetime (s): 86400

Exchange-mode: main

Phase 2 policy (IPsec Policy)

Transfer Protocol: ESP

Authentication Algorithm: SHA2-256

Encryption Algorithm: AES-128

PFS: DH group14

Lifetime (s): 86400

Customer-Side Device Networking and Basic Settings Assumptions

Deployment mode: gateway mode

Intranet interface: The IP address of the LAN interface is 192.168.10.1/24.

External interface: The IP address of line 1 (WAN1 interface) is 22.22.22.22/24.

Default route: The next hop is the gateway IP address of line 1, for example, 22.22.22.1.

Firewall rule: When the LAN accesses the WAN, set the source address, destination address, and service to any, and the action to permit.

CIDR block configuration for Internet access through proxy: Set the source interface to LAN, source address to the intranet CIDR block, the destination to interface WAN1, and the destination address to All IP. Translate All IP to the IP address of the destination interface.

VPN Configuration Procedure

Log in to the web management console of the device and choose IPsec VPN > Third-Party Interconnection on the console.

1. Security proposal: Configure a phase-2 proposal. Click Add. On the displayed tab page, specify the same name, protocol, authentication algorithm, and encryption algorithm as those on Huawei Cloud. For details, see Huawei Cloud Configuration Information.
2. Phase 1:
   1. Basic settings: Click Add on the right. On the tab page that is displayed, enter a name, set line to public network line 1, device address type to peer fixed IP address, fixed IP address to 11.11.11.11, authentication mode to PSK, and enter the PSK. Enable device and enable active connection.
   2. Advanced settings: Click advanced in the lower left corner of the basic page. On the tab page that is displayed, set parameters such as lifetime, supported mode, D-H group, authentication algorithm, and encryption algorithm to be the same as those on Huawei Cloud. Enable DPD and use the default values for interval and times.
   3. Special settings: When NAT traversal exists on Sangfor, only the aggressive mode can be used for interconnection. In addition, the Sangfor device does not support IKEv2. When selecting the aggressive mode, set the Sangfor ID to the IPv4 public IP address, that is, the public IP address after NAT.

3. Phase 2:
   1. Inbound policy: Click add. On the page that is displayed, enter the policy name, set source IP address type to subnet+mask, enter a Huawei Cloud private CIDR block (192.168.10.0/24, 192.168.20.0/24) at a time. Set service to all services and effective duration to all day. Enable this policy.
   2. Outbound policy: Click add. On the displayed tab page, enter the name, set source IP type to subnet+mask, and enter a local private CIDR block (172.16.10.0/24, 172.16.20.0/24, 172.16.30.0/24) at a time. The peer device invokes the configured phase-1 proposal. The lifecycle is the same as that of Huawei Cloud. Set service to all services and effective duration to all day. Enable this policy. For the security options, invoke the configured security proposal. Enable this policy and select Perfect Forward Secrecy (PFS).
   3. Special settings: After PFS is selected, the D-H group in phase 2 is the same as that in phase 1. If there are multiple subnets in the on-premises data center, configure the peer device, security options, and PFS for each outbound policy.

4. Firewall rule settings: Add policies to allow mutual access between VPN and LAN. The services are all-tcp, all-udp, and ping, respectively.

• Add the mutual access rule between the local public IP address and the Huawei Cloud gateway IP address to the security policy. The protocol is UDP 500, UDP 4500, ESP, and AH. This ensures that the negotiation flow and encrypted flow data can be normally transmitted.
• Set the CIDR block of the data flow to be encrypted to the actual IP address and mask. Do not invoke the address object.
• If the customer network has multiple outbound interfaces, when the customer accesses the Huawei Cloud VPN gateway or private CIDR block, ensure that traffic is transmitted via the public network outbound interface. Use the static route configuration to select the appropriate outbound interface.

Function Verification

After the VPN connection is configured, if active connection is selected for the Sangfor device, the Sangfor device initiates a negotiation. Huawei Cloud does not proactively trigger tunnel establishment.

Triggered by Huawei Cloud: Use data flows between private networks to trigger a VPN connection. For example, use a host on 192.168.10.0/24 to ping a host on 172.16.10.0/24, or the other way around.

Tunnel negotiation is not triggered when a private IP address pings the IP address of the peer public gateway. For example, when a host 172.16.10.0/24 pings 11.11.11.11, tunnel establishment is not triggered.