USG3030 interconnect with H3C Firewall

Publication Date:  2012-09-13 Views:  317 Downloads:  0
Issue Description
Network topology:
USG3030-----------H3C F100-A
The configuration command of H3C ipsec is similar to USG3030. As follow is a example of configuration.
Alarm Information
Null
Handling Process
The configuration of USG3030:
ike proposal 10
authentication-algorithm md5
#
ike peer a
pre-shared-key abade
ike-proposal 10
remote-address 221.224.132.2           
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy map 10 isakmp
security acl 3502
ike-peer a
proposal tran1
#
interface Virtual-Template1
ppp authentication-mode chap
ip address 10.10.1.1 255.255.255.0
remote address pool 1
#
interface GigabitEthernet0/0
ip address 180.213.1.130 255.255.255.248
undo ip fast-forwarding qff         // shut down fast forwarding
ipsec policy map
#
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
undo ip fast-forwarding qff         // shut down fast forwarding

acl number 3501
rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
// Deny the traffic of ipsec
rule 10 permit ip source 192.168.0.0 0.0.0.255

firewall interzone trust untrust
nat outbound 3501 address-group 1

The configuration of H3C:
ike proposal 10     // ike proposal didn’t apply in ike peer, it would search automatically
authentication-algorithm md5
#
ike peer a
pre-shared-key abade
remote-address 180.213.1.130
#
ipsec proposal 10
#
ipsec proposal tran1
esp authentication-algorithm sha1      
esp encryption-algorithm 3des
#
ipsec policy map1 10 isakmp
security acl 3500
ike-peer a
proposal tran1
interface Ethernet1/0                   
ip address 221.224.132.2 255.255.255.248
firewall packet-filter 3002 inbound  
firewall packet-filter qiantai outbound
nat outbound nat      // nat outbound apply to the port
ipsec policy map1

acl name  nat
rule 5 deny source xxx destination xxx  // Deny the traffic of ipsec
rule 10 permit
object address abc 192.168.1.0 255.255.255.0
object address bcd 192.168.0.0 255.255.255.0

Root Cause
Null
Suggestions
Null

END