No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Escablish the ipsec vpn between huawei USG6600 and Third-part Firewall

Publication Date:  2018-06-30 Views:  610 Downloads:  0
Issue Description

Customer want to configure IPsec Site to Site VPN between Huawei USG6300 and third-part Firewall, after configuring all required parameters successfully on both ends, But it not working and getting error after diagnosis.

Product: Huawei USG6600 V500R001C60SPC200

Third-part device: Checkpoint


Alarm Information


Handling Process


1 Compare the ike and ipsec configuration found all of the parameter is same.

USG6600 configuration as follow:



CheckPoint Firewall Configuration as follow:

Local Address:2.2.2.2/32

Peer Address:1.1.1.1/32

Authentication Type:Pre-Share-Key

Remote Address Pool:10.91.0.0/16

Local Address Pool:172.18.0.0/16

 

IKE Parameter:

IKE:Version V2

Encryption:3DES

Integity Hash:MD5

PRF:MD5

SA Timeout:86400

 

IPsec Parameter:

Encryption Mode:Tunnel

Security Protocol:ESP

ESP Encryption:3DES

ESP Authentication:MD5

PFS:None

SA Timeout:By time:3600 Seconds

           By Traffic:20971520 KB

 

2 Check the security policy and NAT policy configuration

3 Check the route table


Root Cause

ike version and dh group can’t negotiate successfully with third-part firewall,


Solution

Change the IKE version from V2 to V1 and DH group from 14 to 2 between both sides firewall.




Suggestions

There may have compatibility issues when establish IPsec VPN between third-part firewall.it is recommend use the single algorithm example DESMD5 without SHA2, and IKE use V1.


END