Updated on 2025-07-15 GMT+08:00

Configuration on the Firewall

  1. Log in to the CLI of the firewall.

    The commands may vary according to the firewall models and versions. For details, see the product documentation of the corresponding version.

  2. Configure basic information.
    1. Configure IP addresses for interfaces of the firewall.
      interface GigabitEthernet1/0/1              # Configure a public IP address for an interface of the firewall.
      ip address 1.1.1.1 255.255.255.0
      interface GigabitEthernet1/0/2              # Configure a private IP address for an interface of the firewall.
      ip address 172.16.0.233 255.255.0.0
    2. Add interfaces to security zones.
      firewall zone untrust
      add interface GigabitEthernet1/0/1
      firewall zone trust
      add interface GigabitEthernet1/0/2
    3. Configures the TCP MSS.
      firewall tcp-mss 1300
  3. Configure negotiation policies.
    ike proposal 100                    # Configure an IKE policy for the VPN connection to be established between the public IP address of the firewall and the active EIP of the VPN gateway.
    authentication-algorithm SHA2-256     # Set the same authentication algorithm as that configured in the IKE policy in Table 3.
    encryption-algorithm AES-128          # Set the same encryption algorithm as that configured in the IKE policy in Table 3.
    authentication-method pre-share
    integrity-algorithm HMAC-SHA2-256
    prf HMAC-SHA2-256
    dh group15                            # Set the same DH algorithm as that configured in the IKE policy in Table 3.
    sa duration 86400                     # Set the same lifetime as that configured in the IKE policy in Table 3.
    
    ike peer hwcloud_peer33
    undo version 1                         # Set the same IKE version as that configured in the IKE policy in Table 3.
    pre-shared-key Test@123                # Set the same PSK as that configured in Table 3.
    ike-proposal 100
    remote-address 1.1.1.2                 # Specify the active EIP of the VPN gateway.
    
    IPsec proposal IPsec-pro100          # Configure an IPsec policy for the VPN connection to be established between the public IP address of the firewall and the active EIP of the VPN gateway.
    transform esp
    encapsulation-mode tunnel
    esp authentication-algorithm SHA2-256    # Set the same authentication algorithm as that configured in the IPsec policy in Table 3.
    esp encryption-algorithm aes-128    # Set the same encryption algorithm as that configured in the IPsec policy in Table 3.
    
    ike proposal 200                 # Configure policies for the VPN connection to be established between the public IP address of the firewall and the standby EIP of the VPN gateway.
    authentication-algorithm SHA2-256
    encryption-algorithm AES-128
    authentication-method pre-share
    integrity-algorithm HMAC-SHA2-256
    prf HMAC-SHA2-256
    dh group15
    sa duration 86400
    
    ike peer hwcloud_peer44
    undo version 1
    pre-shared-key Test@123
    ike-proposal 200
    remote-address 2.2.2.2                              # Specify the standby EIP of the VPN gateway.
    
    IPsec proposal IPsec-pro200
    transform esp
    encapsulation-mode tunnel
    esp authentication-algorithm SHA2-256
    esp encryption-algorithm aes-128
  4. Configure IPsec tunnels.
    IPsec profile HW-IPsec100     # Configure a routing policy for the public IP address of the firewall.
    ike-peer hwcloud_peer33
    proposal IPsec-pro100 
    pfs dh-group15                      # Set the same PFS as that configured in the IPsec policy in Table 3.
    sa duration time-based 3600         # Set the same lifetime as that configured in the IPsec policy in Table 3.
    
    interface Tunnel100
    ip address 169.254.70.2 255.255.255.252       # Specify the IP address of tunnel interface 1 on the firewall.
    tunnel-protocol IPsec
    source 1.1.1.1                                # Specify the public IP address of the firewall.
    destination 1.1.1.2                           # Specify the active EIP of the VPN gateway.
    service-manage ping permit
    IPsec profile HW-IPsec100
    firewall zone untrust
    add interface Tunnel100
    
    interface Tunnel200
    ip address 169.254.71.2 255.255.255.252        # Specify the IP address of tunnel interface 2 on the firewall.
    tunnel-protocol IPsec
    source 1.1.1.1                                 # Specify the public IP address of the firewall.
    destination 2.2.2.2                            # Specify the standby EIP of the VPN gateway.
    service-manage ping permit
    IPsec profile HW-IPsec200
    firewall zone untrust
    add interface Tunnel200
  5. Configure routes.
    1. Configure static routes to the public IP addresses of the Huawei Cloud side.
      ip route-static 1.1.1.2 255.255.255.255 1.1.1.1    # Active EIP of the VPN gateway + 255.255.255.255 + Gateway address of the firewall's public IP address
      ip route-static 2.2.2.2 255.255.255.255 1.1.1.1    # Standby EIP of the VPN gateway + 255.255.255.255 + Gateway address of the firewall's public IP address
    2. Configure BGP peers and BGP routes.
      bgp 64515
       router-id 1.1.1.1
       private-4-byte-as enable
       peer 169.254.70.1 as-number 64512
       peer 169.254.70.1 connect-interface Tunnel100
       peer 169.254.71.1 as-number 64512
       peer 169.254.71.1 connect-interface Tunnel200
       #
       ipv4-family unicast
        network 172.16.0.0 255.255.255.0
        peer 169.254.70.1 enable
        peer 169.254.71.1 enable
  6. Configure a security policy.
    ip address-set localsubnet172 type object              # Define an address object.
    address 0 172.16.0.0 mask 16                           # Configure the subnet of the on-premises data center.
    ip address-set HWCsubnet192 type object
    address 0 192.168.0.0 mask 24                          # Configure the subnet of the Huawei Cloud VPC.
    address 0 192.168.1.0 mask 24
    
    security-policy
    rule name IPsec_permit1
    source-zone untrust
    source-zone internet
    source-zone local
    destination-zone untrust
    destination-zone internet
    destination-zone local
    service ah esp
    service protocol udp destination-port 500 4500
    action permit
    rule name IPsec_permit2
    source-zone untrust
    source-zone internet
    source-zone trust
    destination-zone untrust
    destination-zone internet
    destination-zone trust
    source-address address-set localsubnet172
    source-address address-set HWCsubnet192
    destination-address address-set localsubnet172
    destination-address address-set HWCsubnet192
    action permit
    
    nat-policy
    rule name IPsec_subnet_bypass
    source-zone trust
    destination-zone untrust
    destination-zone internet
    source-address address-set localsubnet172
    destination-address address-set HWCsubnet192
    action no-nat