How Do I Configure a VPN on an On-premises Device? (Example of Configuring VPN on a Huawei USG6600 Series Firewall)
VPN settings on the device in your on-premises data center must be consistent with those on the cloud. Otherwise, the VPN cannot be established.
To set up a VPN, you also need to configure an IPsec VPN tunnel on the router or firewall in your on-premises data center. The configuration method varies according to your network device in use. For details, see the configuration guide of your network device.
The following uses a Huawei USG6600 series firewall running V100R001C30SPC300 as an example to describe how to configure a VPN on an on-premises device.
Assume that the subnets of an on-premises data center are 192.168.3.0/24 and 192.168.4.0/24, and the public IP address of the IPsec tunnel egress in the on-premises data center is 1.1.1.2. The subnets of a VPC are 192.168.1.0/24 and 192.168.2.0/24, and the public IP address of the IPsec tunnel egress in the VPC is 1.1.1.1.
Procedure
- Log in to the command line interface (CLI) of the firewall.
- Check firewall version information.
display version 17:20:502017/03/09 Huawei Versatile Security Platform Software Software Version: USG6600 V100R001C30SPC300 (VRP (R) Software, Version 5.30)
- Create an ACL.
acl number 3065 vpn-instance vpn64 rule 1 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 2 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 3 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 4 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 q
- Create an IKE proposal.
ike proposal 64 dh group5 authentication-algorithm sha1 integrity-algorithm hmac-sha2-256 sa duration 3600 q
- Create an IKE peer and bind it to the created IKE proposal. The peer IP address is 1.1.1.1.
ike peer vpnikepeer_64 pre-shared-key ******** (******** indicates a pre-shared key.) ike-proposal 64 undo version 2 remote-address vpn-instance vpn64 1.1.1.1 sa binding vpn-instance vpn64 q
- Configure an IPsec proposal.
IPsec proposal IPsecpro64 encapsulation-mode tunnel esp authentication-algorithm sha1 q
- Configure an IPsec policy and bind the IPsec proposal to it.
IPsec policy vpnIPsec64 1 isakmp security acl 3065 pfs dh-group5 ike-peer vpnikepeer_64 proposal IPsecpro64 local-address 1.1.1.2 q
- Apply the IPsec policy to the corresponding sub-interface.
interface GigabitEthernet0/0/2.64 IPsec policy vpnIPsec64 q
- Test connectivity.
Test the connectivity between your ECS on the cloud and a host in your on-premises data center, as shown in Figure 1.
VPN Negotiation and Interconnection FAQs
- What Devices Can Be Connected to Huawei Cloud Through a VPN?
- What Are VPN Negotiation Parameters? What Are Their Default Values?
- Is an IPsec VPN Connection Automatically Established?
- How Do I Configure a VPN on an On-premises Device? (Example of Configuring VPN on a Huawei USG6600 Series Firewall)
- Does Huawei Cloud VPN Support Interconnection with a Customer Gateway Through a Domain Name?
- How Many Tunnels Does My VPN Connection Have?
- How Do I Allow Specific Hosts to Access a VPC Subnet Through a Created VPN Connection?
- Do Huawei Cloud VPNs Have the DPD Function Enabled?
- How Can I Use Security Groups to Prevent VPN Access to Some ECSs in a VPC to Implement Security Isolation?
- Will a VPN Connection Be Re-established After Its Configuration Is Modified?
- Why Cannot I Initiate Negotiation from Amazon Web Services to Huawei Cloud After They Are Interconnected?
- How Do I Configure DPD for Interconnection with Huawei Cloud?
- What Should I Do If My Firewall Cannot Receive Response Packets from the Huawei Cloud VPN Gateway in IKE Phase 1?
- What Should I Do If My Firewall Cannot Receive Response Packets from a Huawei Cloud VPN Subnet?
- How Many Bits Do the DH Groups Used by Huawei Cloud VPN Have?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore