Operation Guide

Scenario

Figure 1 shows the typical networking where a Huawei Cloud VPN gateway connects to a Huawei firewall in an on-premises data center in static routing mode.

Figure 1 Typical networking diagram
Click to enlarge

In this scenario, the firewall has only one public IP address. A VPN connection needs to be created between the public IP address of the firewall and each of the active and standby EIPs of the Huawei Cloud VPN gateway.

Data Plan

**Table 1** Data plan
Category	Item	Example Value for the Huawei USG Firewall	Example Value for the Huawei Cloud Side
VPC	Subnet	172.16.0.0/24	192.168.0.0/24
VPN gateway	Gateway IP address	1.1.1.1	Active EIP: 1.1.1.2 Standby EIP: 2.2.2.2
VPN gateway	Interconnection subnet	-	192.168.2.0/24
VPN connection	Tunnel interface addresses under Connection 1's Configuration	Local tunnel interface address: 169.254.70.1/30 Customer tunnel interface address: 169.254.70.2/30
	Tunnel interface addresses under Connection 2's Configuration	Local tunnel interface address: 169.254.71.1/30 Customer tunnel interface address: 169.254.71.2/30
	IKE policy	Authentication algorithm: SHA2-256 Encryption algorithm: AES-128 DH algorithm: group 15 IKE version: IKEv2 Lifetime (s): 86400 Local ID: IP address Peer ID: IP address
	IPsec policy	Authentication algorithm: SHA2-256 Encryption algorithm: AES-128 PFS: DH group 15 Dead peer detection (DPD) timeout period: 45s The default DPD timeout period at the Huawei Cloud side is 45 seconds, which cannot be configured. Lifetime (s): 3600