USG3000 and ROS ipsec interconnection

Publication Date:  2012-11-08 Views:  214 Downloads:  0
Issue Description
USG3000 and ROS make ipsec interconnection, ROS is a soft RT.

According to the ROS screen capture to configure USG device
Alarm Information
none
Handling Process
ROS configuration




USG3000 configuration
ike proposal 1                  (use the default configuration,the same as ros)
ike proposal 2
authentication-algorithm md5    (use MD5, the same as ros)

ike peer xianghe
exchange-mode aggressive           (two ends all use aggressive mode)    
pre-shared-key asdf5566
ike-proposal 2
remote-address 59.108.34.19

ipsec policy 2 25 isakmp
security acl 3017
ike-peer xianghe                      
proposal 1

acl number 3017
description for_xianghe
rule 15 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.0 0.0.0.255        (the interested flow and ros as mirror)

acl number 3001   
description for_nat
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255                 (NAT deny go ipsec flow,ros do not exist the problem)rule 5 permit ip source 192.168.0.0 0.0.255.255
firewall interzone trust untrust
nat outbound 3001 interface GigabitEthernet0/0
interface GigabitEthernet0/0
mtu 1400
description to_wan_chengdu_wuhan
ip address 59.108.109.82 255.255.255.240
undo ip fast-forwarding qff      (USG3000 need close the fast-forwarding function)
ipsec policy 2
Root Cause

none

Suggestions
Although make ipsec interconnection with ROS device is easy, but seldom meet it and is not familiar with ROS device, so can refer to this case.

END