Configuration on the AR Router

Prerequisites

• The WAN interface GE0/0/8 on the AR router has been configured. Assume that the public IP address of the WAN interface is 1.1.1.1.
• The LAN interface GE0/0/1 on the AR router has been configured. Assume that the public IP address of the LAN interface is 172.16.0.1.

Procedure

1. Log in to the web system of the AR router.

   An AR651 running V300R019C13SPC200 is used as an example. The web system may vary according to the device model and software version.

2. Configure VPN connections.
   1. Choose Advanced > VPN > IPSec > IPSec Policy Management.
   2. Configure IKE and IPsec policies. Figure 1 shows the key parameter settings.
      

      • When IKEv1 is used for IPsec negotiation, if the traffic hard lifetime is set to 0 on either device, both the local and remote devices disable the traffic timeout function.
      • When IKEv2 is used for IPsec negotiation, if the traffic hard lifetime is set to 0 on a device, this device disables the traffic timeout function.
      • If the AR router uses a non-fixed IP address to connect to the VPN gateway, click Advanced, set Local identity type to Name, and enter the customer gateway identifier configured on the cloud in the Local name text box.
      Figure 1 Configuring VPN connections
      

3. Configure a VPN security policy.

   Choose Configuration > Attack Defense > ACL > Advanced ACL, configure an advanced ACL, and click Add. Figure 2 shows the key parameter settings.

   Figure 2 Configuring an advance ACL
   

4. Configure service routes.

   Choose Advanced > IP > Routing > Static Route Configuration. In the IPv4 Static Route area, configure static routes to the active EIP and active EIP 2 of the VPN gateway and a static route to the VPC, and click Add. Figure 3 shows the key parameter settings.

   Figure 3 Configuring service routes