Help Center/ Virtual Private Network/ Administrator Guide/ S2C Enterprise Edition VPN/ Interconnection with an AR Router of Huawei (Active-Active Connections)/ BGP Routing Mode/ Operation Guide
Updated on 2024-10-11 GMT+08:00
View PDF
Share

Operation Guide

Scenario

Figure 1 shows the typical networking where a VPN gateway connects to the Huawei AR router in an on-premises data center in BGP routing mode.

Figure 1 Typical networking diagram

In this scenario, the AR router has only one IP address, and the VPN gateway uses the active-active mode. A VPN connection is created between each of the two active EIPs of the VPN gateway and the IP address of the AR router.

Limitations and Constraints

VPN and AR routers support different authentication and encryption algorithms. When creating connections, ensure that the policy settings at both ends are the same.

Data Plan

Table 1 Data plan

Category

Item

Example Value for the AR Router

Example Value for the Huawei Cloud Side

VPC

Subnet

172.16.0.0/16

192.168.0.0/24

192.168.1.0/24

VPN gateway

Gateway IP address

1.1.1.1 (IP address of the uplink public network interface GE0/0/8 on the AR router)

Active EIP: 1.1.1.2

Active EIP 2: 2.2.2.2

Interconnection subnet

-

192.168.2.0/24

BGP ASN

64515

64512

VPN connection

Tunnel interface address
  • Tunnel 1: 169.254.70.1/30
  • Tunnel 2: 169.254.71.1/30
  • Tunnel 1: 169.254.70.2/30
  • Tunnel 2: 169.254.71.2/30

IKE policy
  • IKE version: IKEv2
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • DH algorithm: group 14
  • Lifetime (s): 86400
  • Local ID: IP address
  • Peer ID: IP address

IPsec policy
  • Authentication algorithm: SHA2-256
  • Encryption algorithm: AES-128
  • PFS: DH group 14
  • Transfer protocol: ESP
  • Lifetime (s): 3600

Operation Process

Figure 2 shows the process of using the VPN service to enable communication between the data center and VPC.

Figure 2 Operation process
Table 2 Operation process description

No.

Configuration Interface

Step

Description

1

Management console

Create a VPN gateway.

Bind two EIPs to the VPN gateway.

If you have purchased EIPs, you can directly bind them to the VPN gateway.

2

Create a customer gateway.

Configure the AR router as the customer gateway.

3

Create VPN connection 1.

Create a VPN connection between the active EIP of the VPN gateway and the customer gateway.

4

Create VPN connection 2.

Create a VPN connection between active EIP 2 of the VPN gateway and the customer gateway.

It is recommended that the connection mode, PSK, IKE policy, and IPsec policy settings of the two VPN connections be the same.

5

CLI of the AR router

Configure the AR router.
  • The local and remote tunnel interface addresses configured on the AR router must be the same as the customer and local tunnel interface addresses configured on the VPN console, respectively.
  • The connection mode, PSK, IKE policy, and IPsec policy settings on the AR router must be same as those of VPN connections.

6

-

Verify network connectivity.

Run the ping command to verify network connectivity.
Parent topic: BGP Routing Mode