edit-icon download-icon

Deploy H3C firewall

Last Updated: Mar 12, 2018

When using IPsec-VPN to create a site-to-site connection, you must configure the local gateway according to the IPsec connection configured for the Alibaba Cloud VPN Gateway.

Alibaba Cloud IPsec connections support IKEv1 and IKEv2 protocols. Any device that supports these two protocols can connect to Alibaba Cloud VPN Gateway. This includes devices from Huawei, H3C, Cisco, ASN, Juniper, SonicWall, Nokia, IBM, and Ixia.

The H3C firewall is used as an example to show how to configure the VPN settings. The configurations used in this tutorial are as follows:

  • The IP address range of the Alibaba Cloud VPC is 192.168.10.0/24.

  • The IP address range of the local data center is 192.168.66.0/24.

  • The public IP address of the H3C firewall is 122.225.207.248.

  • The public Ethernet port is Reth 1.

  • The private Ethernet port is G 2/0/10.

Prerequisites

  • Make sure you have configured IPsec connections. For more information, seeConfigure a site-to-site connection.

  • Download the configurations of the created IPsec connection.

    In this tutorial, the configurations of the IPsec connection are as follows:

    • IPsec configuration

      ProtocolConfigurationValue
      IKE Authentication Algorithm sha1
      Encryption Algorithm aes
      DH Group group2
      IKE Version ikev1
      SA Life Cycle (seconds) 86400
      Negotiation Mode main
      PSK h3c
      IPsec Authentication Algorithm sha1
      Encryption Algorithm aes
      DH Group group2
      IKE Version ikev1
      SA Life Cycle (seconds) 86400
      Negotiation Mode esp
    • Network configuration

      ConfigurationValue
      VPC Private IP address range 192.168.10.0/24
      Public IP of VPN Gateway 101.xxx.xxx.127
      Local data center Private IP address range 192.168.66.0/24
      Public IP of VPN Gateway 122.xxx.xxx.248
      Uplink Ethernet Ports Reth 1
      Downlink Ethernet Ports G 2/0/10

Configure the H3C firewall

Follow these steps to configure the H3C firewall:

  1. Log on to the Console of the H3C firewall, and configure the IP address of the Internet interface and the intranet interface. Then add Internet and intranet configurations to the untrust zone and the trust zone respectively.

  2. Click Network > VPN > IPsec > Policy > Create. In the Create IPSec Policy dialog, click Add in the Protected Data stream, set the network segment of the IDC and the VPC as the source network segment and the destination network segment.

  3. Click IKE Proposal > Create, configure IKE proposal as the configuration downloaded in Step 1.

  4. Click Network > VPN > IPsec > Policy, select the new IPsec policy, click Advanced Configuration, configure IPSec protocol as the configuration downloaded in the Step 1.

  5. Click Policy > Security Policy > Create, set the network segment of the downlink security policy and the uplink security policy.

  6. Click Network > Route > Static Route.

  7. Add the default route, set the uplink interface as the next hop of the outbound traffic.

Thank you! We've received your feedback.