All Products
Search

This Product

    VPN Gateway:Configure an H3C firewall device

    Document Center

    VPN Gateway:Configure an H3C firewall device

    Last Updated:May 08, 2024

    When you use IPsec-VPN to connect a data center to Alibaba Cloud, you must configure the VPN gateway on Alibaba Cloud, and then add VPN configurations to the gateway device in the data center. This topic describes how to add VPN configurations to an H3C firewall device.

    Scenario

    华三配置场景示例The preceding scenario is used in this example. A company has deployed a virtual private cloud (VPC) on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. The company has a data center whose CIDR block is 192.168.66.0/24. Due to business development, the company wants to connect the data center to the VPC. The company decides to use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC. This way, the data center can communicate with the VPC.

    The following table describes the network configurations in this example.

    Item

    Example

    VPC

    Private CIDR block of the VPC to be connected to the data center

    192.168.10.0/24

    VPN gateway

    Public IP address of the VPN gateway

    101.XX.XX.127

    Data center

    Private CIDR block of the data center to be connected to the VPC

    192.168.66.0/24

    Public IP address of the on-premises gateway device

    122.XX.XX.248

    Interface used by the on-premises gateway to connect to the Internet

    Reth1

    Interface used by the on-premises gateway to connect to the data center

    G2/0/10

    Prerequisites

    • A VPN gateway, a customer gateway, and an IPsec-VPN connection are created on Alibaba Cloud. Routes are configured for the VPN gateway. For more information, see Connect a VPC to a data center in dual-tunnel mode.

    • The configurations of the IPsec-VPN connection is downloaded. For more information, see Download the peer configurations of an IPsec-VPN connection.

      The following table describes the configurations of the IPsec-VPN connection in this example.

      Item

      Example

      Pre-shared key

      ff123TT****

      Internet Key Exchange (IKE) configurations

      IKE version

      ikev1

      Negotiation mode

      main

      Encryption algorithm

      aes

      Note

      If the encryption algorithm of the IPsec-VPN connection is Advanced Encryption Standard (AES), the encryption algorithm of the H3C firewall device must be AES-CBC-128.

      Authentication algorithm

      sha1

      Diffie-Hellman (DH) group

      group2

      Security association (SA) lifecycle (seconds)

      86400

      IPsec configurations

      Encryption algorithm

      aes

      Note

      If the encryption algorithm of the IPsec-VPN connection is AES, the encryption algorithm of the H3C firewall device must be AES-CBC-128.

      Authentication algorithm

      sha1

      DH group

      group2

      SA lifecycle (seconds)

      86400

    Configure the H3C firewall device

    Note

    The following content is for reference only. For actual operations, refer to the manual of the device.

    1. Log on to the web console of the H3C firewall device.

    2. In the left-side navigation pane, choose Network > VPN > IPsec > Policies. On the Create IPsec Policy page, configure the IPsec policy based on the configurations of the IPsec-VPN connection that you downloaded.

      In the Protected Data Stream section, add the data stream to be encrypted.

      Set the source IP address to the private CIDR block of the data center, which is 192.168.66.0/24 in this example. Set the destination IP address to the private CIDR block of the VPC, which is 192.168.10.0/24 in this example.

    3. In the left-side navigation pane, choose Network > VPN > IPsec > IKE Proposal and click Create to add IKE configurations.

    4. In the left-side navigation pane, choose Network > VPN > IPsec > Policies. Find the IPsec policy that you created and click Advanced Settings to add IPsec configurations.

      Important

      Alibaba Cloud VPN Gateway supports only time-based SA lifecycle configuration. Traffic-based SA lifecycle configuration is not supported. The traffic-based SA lifecycle on the VPN gateway side is fixed at zero bytes. When you configure an H3C firewall device, set the traffic-based SA lifecycle to the maximum value.

    5. In the left-side navigation pane, choose Network > VPN > IPsec > Policies > Security Policies > Create to create an upstream security policy and a downstream security policy.

      • The upstream security policy controls traffic from the data center to the VPC.

      • The downstream security policy controls traffic from the VPC to the data center.

    6. In the left-side navigation pane, choose Network > Routes > Static Routes. On the Create IPv4 Static Route page, add a static route.

      • Add a static route to route traffic from the data center to the VPC.

      • Add a static route to route traffic from the VPC to the data center.

        Note

        In this example, this route is not required because a direct route is used. You can add a static route based on your business requirements.