Help Center/ Virtual Private Network/ Administrator Guide/ S2C Enterprise Edition VPN/ Interconnection with a Huawei AR Router (Dual Internet Lines in Active-Active Mode)/ Static Routing Mode/ Operation Guide
Updated on 2025-07-15 GMT+08:00
View PDF
Share

Operation Guide

Scenario

Figure 1 shows the typical networking where a Huawei Cloud VPN gateway connects to a Huawei access router (AR) in an on-premises data center in static routing mode.

Figure 1 Typical networking diagram

In this scenario, the AR router has two IP addresses, and the Huawei Cloud VPN gateway uses the active/standby mode. A total of two VPN connections need to be created between the active and standby EIPs of the VPN gateway and the two IP addresses of the AR router.

Limitations and Constraints

Huawei Cloud VPN and the AR router support different authentication and encryption algorithms. When creating connections, ensure that the policy settings at both ends are the same.

Data Plan

Table 1 Data plan

Category

Item

Example Value for the AR Router

Example Value for the Huawei Cloud Side

VPC

Subnet

172.16.0.0/16
  • 192.168.0.0/24
  • 192.168.1.0/24

VPN gateway

Gateway IP address
  • Public IP address 1: 1.1.1.1
  • Public IP address 2: 2.2.2.1
  • Active EIP: 1.1.1.2
  • Standby EIP: 2.2.2.2

Interconnection subnet

-

192.168.2.0/24

VPN connection

Tunnel interface addresses under Connection 1's Configuration
  • Local tunnel interface address: 169.254.70.1/30
  • Customer tunnel interface address: 169.254.70.2/30

Tunnel interface addresses under Connection 2's Configuration
  • Local tunnel interface address: 169.254.71.1/30
  • Customer tunnel interface address: 169.254.71.2/30

IKE policy
  • IKE version: IKEv2
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • DH algorithm: group 14
  • Lifetime (s): 86400
  • Local ID: IP address
  • Peer ID: IP address

IPsec policy
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • PFS: DH group 14
  • Transfer protocol: ESP
  • Lifetime (s): 3600

Operation Process

Figure 2 shows the process of using the VPN service to enable communication between the data center and VPC.

Figure 2 Operation process
Table 2 Operation process description

No.

Configuration Interface

Step

Description

1

Huawei Cloud console

Create a VPN gateway.

Bind two EIPs to the VPN gateway.

If you have purchased EIPs, you can directly bind them to the VPN gateway.

2

Create customer gateways.

Create two customer gateways with their IP addresses set to the public IP addresses of the AR router.

3

Create VPN connections.
  • Create a total of two VPN connections between the active and standby EIPs of the VPN gateway and the customer gateways.
  • It is recommended that the routing mode, PSK, IKE policy, and IPsec policy settings of the two connections be the same.

5

Command-line interface (CLI) of the AR router

Configure the AR router.
  • The local and remote interface addresses configured on the AR router must be the same as the customer and local interface addresses configured on the VPN console, respectively.
  • The routing mode, PSK, IKE policy, and IPsec policy settings on the AR router must be same as those of VPN connections.

6

-

Verify network connectivity.

Run the ping command to verify network connectivity.
Parent topic: Static Routing Mode