Updated on 2025-07-15 GMT+08:00

Operation Guide

Scenario

Figure 1 shows the typical networking where a Huawei Cloud VPN gateway connects to a Huawei firewall in an on-premises data center in static routing mode.

Figure 1 Typical networking diagram

In this scenario, the firewall has only one public IP address. A VPN connection needs to be created between the public IP address of the firewall and each of the active and standby EIPs of the Huawei Cloud VPN gateway.

Data Plan

Table 1 Data plan

Category

Item

Example Value for the Huawei USG Firewall

Example Value for the Huawei Cloud Side

VPC

Subnet

172.16.0.0/24

192.168.0.0/24

VPN gateway

Gateway IP address

1.1.1.1

  • Active EIP: 1.1.1.2
  • Standby EIP: 2.2.2.2

Interconnection subnet

-

192.168.2.0/24

VPN connection

Tunnel interface addresses under Connection 1's Configuration

  • Local tunnel interface address: 169.254.70.1/30
  • Customer tunnel interface address: 169.254.70.2/30

Tunnel interface addresses under Connection 2's Configuration

  • Local tunnel interface address: 169.254.71.1/30
  • Customer tunnel interface address: 169.254.71.2/30

IKE policy

  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • DH algorithm: group 15
  • IKE version: IKEv2
  • Lifetime (s): 86400
  • Local ID: IP address
  • Peer ID: IP address

IPsec policy

  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • PFS: DH group 15
  • Dead peer detection (DPD) timeout period: 45s

    The default DPD timeout period at the Huawei Cloud side is 45 seconds, which cannot be configured.

  • Lifetime (s): 3600