Failure in the USG5300 IPSec Interconnecting with Cisco PIX

Publication Date:  2012-07-25 Views:  157 Downloads:  0
Issue Description
Interconnect the USG5300 IPSec and Cisco PIX by referring to parameters provided by Cisco as follows:

crypto ipsec transform-set dessha esp-des esp-md5-hmac                         
crypto map ipsec 480 match address ipsec-aaa                                   
crypto map ipsec 480 set peer *.*.*.*                                     
crypto map ipsec 480 set transform-set dessha                                  
crypto map ipsec 480 set security-association lifetime seconds 86400        
crypto map ipsec interface outside                                             
crypto isakmp enable outside                                                   
crypto isakmp policy 1                                                         
 authentication pre-share                                                       
 encryption aes                                                                
 hash sha                                                                      
 group 2                                                                        
 lifetime 86400
Set Huawei Symantec device according to the preceding parameters. Set the negotiation mode as main mode and the IP type as IP authentication. The communication fails.
Alarm Information
None.
Handling Process
By analyzing the symptom and consulting R&D personnel, Huawei Symantec devices are limited in IPSec configuration currently. The two configuration options are main mode for IP authentication or aggressive mode for name authentication. Because Cisco devices are running on the live network, any parameter modification is impossible.
Therefore, in the communication between devices of Cisco and Huawei Symantec, the only solution is to set the Huawei Symantec device into aggressive mode for name authentication. Also the communication can be realized only if our device proactively initiates negotiation. Therefore, it is recommended that set the lifetime of Huawei Symantec device shorter than that of Cisco device. This setting ensures that re-negotiations are initiated by Huawei Symantec device and therefore ensures the normal communication between two devices.
Root Cause

By default, Cisco PIX is set into master mode as negotiation mode and name authentication as ID type. Therefore, the communication fails.
 

Suggestions
In the future, Huawei Symantec devices will support name authentication in main mode. The problem in this case then can be solved.

END