Configuring VPN When Sangfor Firewall Is Used
Scenarios
Your local data center uses Sangfor firewalls as Internet egresses. An IPsec VPN device is connected to the DMZ zone and needs to access the HUAWEI CLOUD network through a VPN connection.
Topology Connection
Topology connection mode:
- Use the firewall to establish a VPN connection with the cloud.
- Use the VPN device in the DMZ zone and the NAT traversal technique to establish a VPN connection with the cloud.
The configuration details are as follows.
- Private IP address of the VPN device in the local data center: 10.10.10.10/24
- On-premises subnet: 10.0.0.0/16
- IP address of the next-generation firewall: 11.11.11.2/24; Public network gateway: 11.11.11.1; NAT IP address of the VPN device: 11.11.11.11
- IP address of the VPN gateway on the cloud: 22.22.22.22; Subnet on the cloud: 172.16.0.0/16
Create a VPN connection to connect an on-premises network to the VPC subnet.
Configure the VPN connection on HUAWEI CLOUD based on Figure 2. If the VPN device in the DMZ zone uses NAT traversal, the aggressive negotiation mode should be used. If a firewall is used, the main negotiation mode should be used.
Configuration Procedure
This example describes how to configure a VPN when a Sangfor firewall is used in your local data center.
- Configure IPsec VPN.
- Configure IKE phase 1 parameters.
- Configure IPsec phase 2 parameters.
- Configure security parameters.
- Configure routes.
- Configure policies and NAT.
Configuration Verification
Check whether the on-premises subnet can communicate with the subnet on the cloud.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot