Help Center/
Virtual Private Network/
Administrator Guide/
S2C Enterprise Edition VPN/
Interconnection with a Huawei USG Firewall/
BGP Routing Mode/
Configuration on the Firewall
Updated on 2025-07-15 GMT+08:00
Configuration on the Firewall
- Log in to the CLI of the firewall.
The commands may vary according to the firewall models and versions. For details, see the product documentation of the corresponding version.
- Configure basic information.
- Configure IP addresses for interfaces of the firewall.
interface GigabitEthernet1/0/1 # Configure a public IP address for an interface of the firewall. ip address 1.1.1.1 255.255.255.0 interface GigabitEthernet1/0/2 # Configure a private IP address for an interface of the firewall. ip address 172.16.0.233 255.255.0.0
- Add interfaces to security zones.
firewall zone untrust add interface GigabitEthernet1/0/1 firewall zone trust add interface GigabitEthernet1/0/2
- Configures the TCP MSS.
firewall tcp-mss 1300
- Configure IP addresses for interfaces of the firewall.
- Configure negotiation policies.
ike proposal 100 # Configure an IKE policy for the VPN connection to be established between the public IP address of the firewall and the active EIP of the VPN gateway. authentication-algorithm SHA2-256 # Set the same authentication algorithm as that configured in the IKE policy in Table 3. encryption-algorithm AES-128 # Set the same encryption algorithm as that configured in the IKE policy in Table 3. authentication-method pre-share integrity-algorithm HMAC-SHA2-256 prf HMAC-SHA2-256 dh group15 # Set the same DH algorithm as that configured in the IKE policy in Table 3. sa duration 86400 # Set the same lifetime as that configured in the IKE policy in Table 3. ike peer hwcloud_peer33 undo version 1 # Set the same IKE version as that configured in the IKE policy in Table 3. pre-shared-key Test@123 # Set the same PSK as that configured in Table 3. ike-proposal 100 remote-address 1.1.1.2 # Specify the active EIP of the VPN gateway. IPsec proposal IPsec-pro100 # Configure an IPsec policy for the VPN connection to be established between the public IP address of the firewall and the active EIP of the VPN gateway. transform esp encapsulation-mode tunnel esp authentication-algorithm SHA2-256 # Set the same authentication algorithm as that configured in the IPsec policy in Table 3. esp encryption-algorithm aes-128 # Set the same encryption algorithm as that configured in the IPsec policy in Table 3. ike proposal 200 # Configure policies for the VPN connection to be established between the public IP address of the firewall and the standby EIP of the VPN gateway. authentication-algorithm SHA2-256 encryption-algorithm AES-128 authentication-method pre-share integrity-algorithm HMAC-SHA2-256 prf HMAC-SHA2-256 dh group15 sa duration 86400 ike peer hwcloud_peer44 undo version 1 pre-shared-key Test@123 ike-proposal 200 remote-address 2.2.2.2 # Specify the standby EIP of the VPN gateway. IPsec proposal IPsec-pro200 transform esp encapsulation-mode tunnel esp authentication-algorithm SHA2-256 esp encryption-algorithm aes-128
- Configure IPsec tunnels.
IPsec profile HW-IPsec100 # Configure a routing policy for the public IP address of the firewall. ike-peer hwcloud_peer33 proposal IPsec-pro100 pfs dh-group15 # Set the same PFS as that configured in the IPsec policy in Table 3. sa duration time-based 3600 # Set the same lifetime as that configured in the IPsec policy in Table 3. interface Tunnel100 ip address 169.254.70.2 255.255.255.252 # Specify the IP address of tunnel interface 1 on the firewall. tunnel-protocol IPsec source 1.1.1.1 # Specify the public IP address of the firewall. destination 1.1.1.2 # Specify the active EIP of the VPN gateway. service-manage ping permit IPsec profile HW-IPsec100 firewall zone untrust add interface Tunnel100 interface Tunnel200 ip address 169.254.71.2 255.255.255.252 # Specify the IP address of tunnel interface 2 on the firewall. tunnel-protocol IPsec source 1.1.1.1 # Specify the public IP address of the firewall. destination 2.2.2.2 # Specify the standby EIP of the VPN gateway. service-manage ping permit IPsec profile HW-IPsec200 firewall zone untrust add interface Tunnel200
- Configure routes.
- Configure static routes to the public IP addresses of the Huawei Cloud side.
ip route-static 1.1.1.2 255.255.255.255 1.1.1.1 # Active EIP of the VPN gateway + 255.255.255.255 + Gateway address of the firewall's public IP address ip route-static 2.2.2.2 255.255.255.255 1.1.1.1 # Standby EIP of the VPN gateway + 255.255.255.255 + Gateway address of the firewall's public IP address
- Configure BGP peers and BGP routes.
bgp 64515 router-id 1.1.1.1 private-4-byte-as enable peer 169.254.70.1 as-number 64512 peer 169.254.70.1 connect-interface Tunnel100 peer 169.254.71.1 as-number 64512 peer 169.254.71.1 connect-interface Tunnel200 # ipv4-family unicast network 172.16.0.0 255.255.255.0 peer 169.254.70.1 enable peer 169.254.71.1 enable
- Configure static routes to the public IP addresses of the Huawei Cloud side.
- Configure a security policy.
ip address-set localsubnet172 type object # Define an address object. address 0 172.16.0.0 mask 16 # Configure the subnet of the on-premises data center. ip address-set HWCsubnet192 type object address 0 192.168.0.0 mask 24 # Configure the subnet of the Huawei Cloud VPC. address 0 192.168.1.0 mask 24 security-policy rule name IPsec_permit1 source-zone untrust source-zone internet source-zone local destination-zone untrust destination-zone internet destination-zone local service ah esp service protocol udp destination-port 500 4500 action permit rule name IPsec_permit2 source-zone untrust source-zone internet source-zone trust destination-zone untrust destination-zone internet destination-zone trust source-address address-set localsubnet172 source-address address-set HWCsubnet192 destination-address address-set localsubnet172 destination-address address-set HWCsubnet192 action permit nat-policy rule name IPsec_subnet_bypass source-zone trust destination-zone untrust destination-zone internet source-address address-set localsubnet172 destination-address address-set HWCsubnet192 action no-nat
Parent topic: BGP Routing Mode
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot