The interconnect reference of USG2210 and ASA5100 IPSEC

Publication Date:  2012-09-12 Views:  371 Downloads:  0
Issue Description
The interconnect reference of USG2210 and ASA5100 IPSEC

The interconnect of USG2210 and ASA5100 IPSEC is plenty in current network, the principle is same and there is just some difference in the commends, pay attention to the red identifications in the following 
Alarm Information
Null
Handling Process
USG2210 configuration:

Acl number 3500
rule 5 permit ip source 10.4.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 10.4.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
rule 15 permit ip source 10.4.1.0 0.0.0.255 destination 10.2.0.0 0.0.255.255
rule 20 permit ip source 10.4.1.0 0.0.0.255 destination 10.3.0.0 0.0.255.255
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 (default using group 1)
sa duration 28800( keep consistent, USG default is 86400)

ike peer a
pre-shared-key Yealink!123
ike-proposal 1
undo version 2 (generally interconnect with peer vendor, version 1 is recommended)
remote-address 125.77.254.53

ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des

ipsec policy map1 10 isakmp
security acl 3500
pfs dh-group2 (consistent with ASA, USG default using dh-group1)
ike-peer a

Proposal 1

nat-policy interzone trust untrust outbound (exclude the ipsec flow in NAT)
policy 0
action no-nat
policy source 10.4.1.0 mask 255.255.255.0
policy destination 192.168.1.0 mask 24

gigabitethernet0/0/0
ip address 115.192.185.102 255.255.255.0
ipsec policy map1 auto-neg

ASA5510 configuration:



crypto isakmp enable outside(interface enable ISAKMP policy)
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2 (USG device default is group 1 )
lifetime 28800

crypto isakmp key Yealink!123 address 115.192.185.102 (set the share key)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (USG device  ipsec proposal)

access-list hzhuawei permit ip 192.168.1.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list hzhuawei permit ip 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list hzhuawei permit ip 10.2.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list hzhuawei permit ip 10.3.0.0 255.255.0.0 10.4.1.0 255.255.255.0
!
Crypto map outside_map0 30 match address hzhuawei (ipsec interested flow)
crypto map outside_map0 30 set peer 115.192.185.102
crypto map outside_map0 30 set transform-set ESP-3DES-SHA
crypto map outside_map0 30 set security-association lifetime seconds 3600
(USG device default is 3600, the same with ASA)
crypto map outside_map0 30 set pfs group2 ( USG device default is group1, so must keep consistent with it)

view USG device though the commend, and the tunnel has been established successfully

[USG2200] dis ike sa
17:06:05 2012/02/21
current ike sa number: 5
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x71 125.77.254.53 0 RD|ST v1:2 IPSEC
0x70 125.77.254.53 0 RD|ST v1:1 IPSEC
Root Cause
Null
Suggestions
Null

END