Help Center> Virtual Private Network> FAQs> Classic VPN> VPN Negotiation and Interconnection> How Do I Configure a VPN on an On-premises Device? (Configuring the VPN on a Huawei USG6600 Series Firewall)
Updated on 2023-08-01 GMT+08:00
View PDF

How Do I Configure a VPN on an On-premises Device? (Configuring the VPN on a Huawei USG6600 Series Firewall)

Due to the symmetry of the tunnel, the VPN parameters configured on the cloud must be the same as those configured in your on-premises data center. If they are different, a VPN cannot be established.

To set up a VPN, you also need to configure the IPsec VPN on your on-premises router or firewall. The configuration method may vary depending on your network device in use. For details, see the configuration guide of your network device.

The following uses a Huawei USG6600 series firewall running V100R001C30SPC300 as an example to describe how to configure a VPN on an on-premises device.

Assume that the on-premises subnets are 192.168.3.0/24 and 192.168.4.0/24, the VPC subnets are 192.168.1.0/24 and 192.168.2.0/24, and the public IP address of the IPsec tunnel egress in the VPC is XXX.XXX.XX.XX, which can be obtained from the local gateway parameters of the IPsec VPN in the VPC.

Procedure

  1. Log in to the CLI of the firewall.
  2. Check firewall version information.
    display version 
17:20:502017/03/09
Huawei Versatile Security Platform Software
Software Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)
  3. Create an access control list (ACL) and bind it to the target VPN instance.
    acl number 3065 vpn-instance vpn64
rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
q
  4. Create an IKE proposal.
    ike proposal 64 
dh group5 
authentication-algorithm sha1 
integrity-algorithm hmac-sha2-256 
sa duration 3600 
q
  5. Create an IKE peer and refer to the created IKE proposal. The peer IP address is 93.188.242.110.
    ike peer vpnikepeer_64
pre-shared-key ******** (******** specifies the pre-shared key.)
ike-proposal 64
undo version 2
remote-address vpn-instance vpn64 93.188.242.110
sa binding vpn-instance vpn64
q
  6. Create an IPsec protocol.
    IPsec proposal IPsecpro64
encapsulation-mode tunnel
esp authentication-algorithm sha1
q
  7. Create an IPsec policy, and bind the IKE policy and IPsec proposal to it.
    IPsec policy vpnIPsec64 1 isakmp
security acl 3065
pfs dh-group5
ike-peer vpnikepeer_64
proposal IPsecpro64
local-address xx.xx.xx.xx
q
  8. Apply the IPsec policy to the subinterface.
    interface GigabitEthernet0/0/2.64
IPsec policy vpnIPsec64
q
  9. Test connectivity.

    Test the connectivity between your ECSs on the cloud and servers in your on-premises data center, as shown in Figure 1.

    Figure 1 Connectivity test

VPN Negotiation and Interconnection FAQs

more