Help Center/ Virtual Private Network/ Administrator Guide/ S2C Enterprise Edition VPN/ Interconnection with a Hillstone Firewall/ Policy-based Mode/ Configuration on the Hillstone Firewall
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Configuration on the Hillstone Firewall

Prerequisites

The basic network configuration of the Hillstone firewall has been completed.

Procedure

  1. Log in to the configuration page.

    A firewall running the 5.5R9 version is used as an example. The configuration pages may vary according to the firewall models and software versions.

  2. Complete basic settings.
    1. Configure a security zone.

      Choose Network > Zone. Click New and set parameters, as shown in Figure 1.

      Figure 1 Configuring a security zone
    2. Configure a security policy.

      Choose Policy > Security Policy > Policy. Click New, choose Policy, and set parameters, as shown in Figure 2.

      Figure 2 Configuring a policy
    3. Configure a basic route.

      Choose Network > Routing > Destination Route. Click New and set parameters, as shown in Figure 3.

      Figure 3 Configuring a destination route
    4. Configure CIDR block information.

      Choose Object > Address Book. Click New, and configure CIDR block information of Huawei Cloud and the on-premises data center in sequence.

      When configuring CIDR block information of the on-premises data center, exclude the gateway address of the downlink private network interface on the Hillstone firewall.

      Figure 4 Configuring CIDR block information
  3. Configure VPN connections.
    1. Choose Network > VPN > IPSec VPN. On the IPsec VPN tab page, click New.
    2. Click the plus sign (+) in the Peer Name drop-down list box to add peer information.
    3. Click the plus sign (+) in the Proposal1 drop-down list box to create a phase-1 proposal. Set parameters and click OK. Figure 5 shows the key parameter settings.
      Figure 5 Configuring a phase-1 proposal
    4. Configure VPN peers. As the Huawei Cloud VPN gateway has two EIPs bound, you need to configure two peers.
      Select the phase-1 proposal created in c from the Proposal1 drop-down list box. Click Advanced Configuration, toggle on NAT Traversal and DPD, and click OK.
      Figure 6 Configuring VPN peers
    5. Click the plus sign (+) in the P2 Proposal drop-down list box to create a phase-2 proposal. Set parameters and click OK. Figure 7 shows the key parameter settings.
      Figure 7 Configuring a phase-2 proposal
    6. Configure VPN connection information. Select each of the VPN peers created in d from the Peer Name drop-down list box, select the phase-2 proposal created in e from the P2 Proposal drop-down list box, select Manual for Proxy ID, configure Proxy ID List, and click OK. Figure 8 shows the key parameter settings.
      Figure 8 Configuring IPsec VPN
  4. Configure VPN policies.
    1. Configure source network address translation (NAT) policies.

      Choose Policy > NAT > SNAT. Click New, configure two source NAT policies, and set their priorities, as shown in Figure 9.

      Figure 9 Configuring source NAT
    2. Configure VPN security policies.

      Choose Policy > Security Policy > Policy. Click New and choose Policy. Configure two VPN security policies and set their priorities to be higher than that of the default security policy configured in b, as shown in Figure 10.

      Figure 10 Configuring VPN security policies
Parent topic: Policy-based Mode