USG2210和ASA5510 IPSEC对接参考

发布时间:  2014-09-11 浏览次数:  454 下载次数:  0
问题描述
USG2210(115.192.185.102)- (125.77.254.53 )ASA5510 ipsec对接参考

USG设备和CISCO设备对接在现网中也很多,原理都是一样,只是命令上有些区别,以下红色标识是需要注意的地方
告警信息
处理过程
USG2210端配置:

acl number 3500
rule 5 permit ip source 10.4.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 10.4.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
rule 15 permit ip source 10.4.1.0 0.0.0.255 destination 10.2.0.0 0.0.255.255
rule 20 permit ip source 10.4.1.0 0.0.0.255 destination 10.3.0.0 0.0.255.255
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 (默认使用group 1)
sa duration 28800 保持一致,USG默认86400


ike peer a
pre-shared-key Yealink!123
ike-proposal 1
undo version 2 (一般和友商对接,建议使用version1)
remote-address 125.77.254.53


ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des


ipsec policy map1 10 isakmp
security acl 3500
pfs dh-group2 (和ASA一致,USG默认使用dh-group1)
ike-peer a
proposal 1

nat-policy interzone trust untrust outbound (在nat中把走ipsec流量排除)
policy 0
action no-nat
policy source 10.4.1.0 mask 255.255.255.0
policy destination 192.168.1.0 mask 24

GigabitEthernet0/0/0
ip address 115.192.185.102 255.255.255.0
ipsec policy map1 auto-neg

ASA5510端配置:



crypto isakmp enable outside(接口使能ISAKMP策略。)
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2 (USG设备默认是group 1 )
lifetime 28800
!
crypto isakmp key Yealink!123 address 115.192.185.102 (设置预共享密钥)
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (相当于USG设备 ipsec proposal)
!
access-list HZhuawei permit ip 192.168.1.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.2.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.3.0.0 255.255.0.0 10.4.1.0 255.255.255.0
!
crypto map outside_map0 30 match address HZhuawei (ipsec感兴趣流)
crypto map outside_map0 30 set peer 115.192.185.102
crypto map outside_map0 30 set transform-set ESP-3DES-SHA
crypto map outside_map0 30 set security-association lifetime seconds 3600
(USG设备默认也是3600,和ASA相同。)
crypto map outside_map0 30 set pfs group2 ( USG设备默认使用group1 所以这个地方要注意保持一致)


在USG设备通过命令查看,隧道已经建立成功
[USG2200] dis ike sa
17:06:05 2012/02/21
current ike sa number: 5
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x71 125.77.254.53 0 RD|ST v1:2 IPSEC
0x70 125.77.254.53 0 RD|ST v1:1 IPSEC
根因
建议与总结

END