Configuring VPN When Sangfor Firewall Is Used

Scenarios

Your local data center uses Sangfor firewalls as Internet egresses. An IPsec VPN device is connected to the DMZ zone and needs to access the HUAWEI CLOUD network through a VPN connection.

Topology Connection

Topology connection mode:

• Use the firewall to establish a VPN connection with the cloud.
• Use the VPN device in the DMZ zone and the NAT traversal technique to establish a VPN connection with the cloud.

The configuration details are as follows.

• Private IP address of the VPN device in the local data center: 10.10.10.10/24
• On-premises subnet: 10.0.0.0/16
• IP address of the next-generation firewall: 11.11.11.2/24; Public network gateway: 11.11.11.1; NAT IP address of the VPN device: 11.11.11.11
• IP address of the VPN gateway on the cloud: 22.22.22.22; Subnet on the cloud: 172.16.0.0/16

Create a VPN connection to connect an on-premises network to the VPC subnet.

Figure 1 Using a VPN to Connect a VPC with a local data center that uses Sangfor firewall and the NAT traversal technique

Configure the VPN connection on HUAWEI CLOUD based on Figure 2. If the VPN device in the DMZ zone uses NAT traversal, the aggressive negotiation mode should be used. If a firewall is used, the main negotiation mode should be used.

Figure 2 Policy details on HUAWEI CLOUD

Configuration Procedure

This example describes how to configure a VPN if the Sangfor firewall is used in your local data center.

1. Configure IPsec VPN.
   1. Configure IKE phase 1 parameters.
   2. Configure IPsec phase 2 parameters.
   3. Configure security parameters.

2. Configure routes.
3. Configure policies and NAT.

Configuration Verification

Check whether the on-premises subnet can communicate with the subnet on the cloud.