USG3000 and ROS ipsec interconnection

Publication Date:  2012-11-08 Views:  360 Downloads:  0
Issue Description
USG3000 and ROS make ipsec interconnection, ROS is a soft RT.

According to the ROS screen capture to configure USG device
Alarm Information
Handling Process
ROS configuration

USG3000 configuration
ike proposal 1                  (use the default configuration,the same as ros)
ike proposal 2
authentication-algorithm md5    (use MD5, the same as ros)

ike peer xianghe
exchange-mode aggressive           (two ends all use aggressive mode)    
pre-shared-key asdf5566
ike-proposal 2

ipsec policy 2 25 isakmp
security acl 3017
ike-peer xianghe                      
proposal 1

acl number 3017
description for_xianghe
rule 15 permit ip source destination        (the interested flow and ros as mirror)

acl number 3001   
description for_nat
rule 0 deny ip source destination                 (NAT deny go ipsec flow,ros do not exist the problem)rule 5 permit ip source
firewall interzone trust untrust
nat outbound 3001 interface GigabitEthernet0/0
interface GigabitEthernet0/0
mtu 1400
description to_wan_chengdu_wuhan
ip address
undo ip fast-forwarding qff      (USG3000 need close the fast-forwarding function)
ipsec policy 2
Root Cause


Although make ipsec interconnection with ROS device is easy, but seldom meet it and is not familiar with ROS device, so can refer to this case.