The solution that solve the IPSEC VPN interconnection configuration problem between USG5320 and H3C F100-C.

Publication Date:  2012-11-02 Views:  420 Downloads:  17
Issue Description
A customer use USG5320 and H3C F100 - C configuration to interconnect IPSEC VPN, after configuration IKE and IPSEC stage has been established in USG5320, but in F100 - C IPSEC the first and second stages do not been established successfully. At both ends of private network fail to ping to each other.
Alarm Information
none
Handling Process
First check the parameters of the both ends, find F100-C the Ike peer of Ike stage do not apply the Ike-proposal 1 command, and Ike peer and do not have Ike application configuration. Contact H3C engineer, it is said that after configure Ike peer, don't need apply ike proposal 1 command. The other parameters are all negotiated to be consistent.
Then check client ACL, find the customer is accustomed to configure the deny parameter at the last ACL configuration application, such as the ACL 3000 configured by customers and the IPSEC interested flow configured by the other device. Our USG5320 is used the ACL 3002. But the last sentence of the ACL 3000 configure rule 2 deny IP command. After configure this command, will influence the subsequent ACL matching, and system have stealth deny policy by itself, so don't need configure this deny policy.
   acl number 3000
rule 0 permit ip source 192.168.3.0 0.0.0.15 destination 172.16.0.0 0.0.255.255
rule 2 deny ip
                         
acl number 3002
rule 1 permit ip source 192.168.3.0 0.0.0.15 destination 192.168.1.0 0.0.0.255
rule 2 deny ip

Because we use USG5320, so do not have the interface fast-forwarding function, and F100 - C interface have the undo IP fast - forwarding inbound/oubound operation. Need to support the two command.
After modify customer ACL and close port fast-forwarding, can establish the IPSEC VPN between two customer ends. Ping -a 192.168.1.1 192.168.3.1 in the two intranet of the policy, and can make the normal communication.
Root Cause
1. The default configuration of the two stages Ike and ipsec fail to negotiate at both customer ends .Namely two ends Ike/ipsec parameter is not consistent.
2. ACL parameter is not consistent lead to fail to set up the stage negotiation.
3. Port fast-forwarding problems affect the negotiation.
Suggestions
The detailed configuration command, refer to the attachment

END