Basic Information About IPSec Interoperation Between HUAWEI Firewalls and Cisco Firewalls

HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Basic Information About IPSec Interoperation Between HUAWEI Firewalls and Cisco Firewalls

IPSec Capability Comparison

Table 2-2 IPSec capability comparison

IPSec Function	HUAWEI Firewalls	Cisco Firewalls
ISAKMP mode	√	√
Policy template mode	√	√
Virtual tunnel interface mode	√	× NOTE: The tunnel interface cannot be configured on Cisco ASA5520-K8. As a result, routes cannot be aggregated to this interface. Therefore, IPSec configuration in this mode is not supported. However, HUAWEI firewalls can still use route-based IPSec to connect to Cisco ASA5520-K8.
NAT traversal	√	√
GRE over IPSec	√	× NOTE: Cisco ASA5520-K8 does not provide the GRE function and therefore does not support GRE over IPSec connection with HUAWEI firewalls. Note that router products of Cisco support the GRE over IPSec function.

Comparison of Major Processes for Configuring the IPSec Service

Figure1 shows the major processes of IPSec service configurations on the HUAWEI firewalls and Cisco firewalls.

Cisco has its own way of naming IPSec service configurations. For example, the crypto map command is used to configure the crypto map, and the crypto ipsec transform-set command is used to configure the IPSec transform set. All these naming methods are different from those of HUAWEI firewalls.
No matter what the naming method is, it is all about the definitions of the IPSec negotiation process, proposal, and algorithm in the IPSec protocol suite. For ease of understanding, the names of Cisco firewalls IPSec configuration steps are replaced with those of HUAWEI firewalls.

Figure 2-1 Process for configuring IPSec services on HUAWEI firewalls and Cisco firewalls
click to enlarge

The following table lists precautions of various configuration steps and their associations.

Table 2-3 Precautions and configuration association between HUAWEI firewalls and Cisco firewalls

Configuration Item	HUAWEI Firewalls	Cisco Firewalls
Basic configurations	The basic configurations of the HUAWEI firewalls involve the following items: Configure interface IP addresses. Assign the interfaces to security zones. Permit ping packets to the interface. Permit interaction traffic between the intranet and extranet.	The basic configurations of the Cisco firewalls involve the following items: Configure interface IP addresses. Specify interface names. Configure interface security levels. Through comparison, it seems that the Cisco firewalls do not implement security policy control between the intranet and extranet. Actually, however, the Cisco firewalls provide default security policy control based on the interface security level, which will be described in specific cases.
A route to the peer intranet	Configure a route to the peer intranet.	Configure a route to the peer intranet.
ACL	The source address and destination address of the ACL respectively correspond to the local intranet address and peer destination address. The ACL on one end of the tunnel must reflect that on the other end.	The source address and destination address of the ACL respectively correspond to the local intranet address and peer destination address.
IKE proposal	The IKE proposal configuration involves the following items: Configure the encryption algorithm. Configure the authentication algorithm. Configure the authentication mode. Configure the DH group.	The IKE proposal of the Cisco firewalls also consist of the encryption algorithm, authentication algorithm, authentication mode, and DH group. However, the Cisco firewalls use the crypto isakmp policy command, which is similar to that used in the IPSec policy configuration on the HUAWEI firewalls. Do not confuse them.
IPSec proposal	The IPSec proposal configuration involves the following items: Configure the encryption algorithm. Configure the authentication algorithm.	The IPSec proposal configuration involves the following items: Configure the encryption algorithm. Configure the authentication algorithm. The IPSec proposal configuration on the Cisco firewalls use only the crypto ipsec transform-set command instead of a dedicated view. This command has two parameters, with one indicating the encryption algorithm and the other the authentication algorithm.
IKE peer	The IKE peer is unique to the HUAWEI firewalls. Its configuration involves the following items: Reference the configured IKE proposal. Specify the peer address of the tunnel. Specify the IKE version. Configure the IKE negotiation mode. Configure the pre-shared key.	The Cisco firewalls do not have the view for configuring the IKE peer. It uses the crypto isakmp key key-name address ip-address command to specify the pre-defined key and peer address.
IPSec policy or template	The IPSec tunnel can be established in either the policy mode or the template mode. The configuration in the IPSec policy view involves the following items: Reference the configured ACL. Reference the configured IKE peer. Reference the configured IPSec proposal.	The Cisco firewalls do not have the view for configuring the IPSec policy. It uses the crypto map map-name ike proposal command to specify the peer address, IPSec proposal, and ACL.
Application of the IPSec policy to the interface	Apply the configured IPSec policy to the interface at which the tunnel is established. By default, the HUAWEI firewalls enable the IPSec policy applied to this interface.	For the Cisco firewalls, you shall first apply the IPSec policy to the tunnel interface and then enable this policy.

Comparison Between IPSec Default Values

Table 2-4 Comparison between the default IPSec values of HUAWEI firewalls and Cisco firewalls

Configuration Item	HUAWEI Firewalls	Cisco Firewalls
IKE proposal	Encryption algorithm: AES-128 Authentication algorithm: SHA2-256 Integrity algorithm: HMAC-SHA2-256 DH: group2 Authentication method: pre-share	Encryption algorithm: 3DES Authentication algorithm: SHA-1 Integrity algorithm: SHA-1 DH: Group 2 Authentication method: pre-share
IPSec proposal	Security protocol: ESP ESP encryption algorithm: AES-128 ESP authentication algorithm: SHA2-256	Security protocol: ESP ESP encryption algorithm: 3DES ESP authentication algorithm: SHA-1
IKE version	V1&V2	V1&V2

IPSec Capability Comparison
Comparison of Major Processes for Configuring the IPSec Service
Comparison Between IPSec Default Values

Translation

简体中文

Download

Updated: 2023-09-12

Document ID: EDOC1000154805

Downloads: 5081

Average rating:

This Document Applies to these Products

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

IPSec Capability Comparison

Comparison of Major Processes for Configuring the IPSec Service

Comparison Between IPSec Default Values

Related Version

Related Documents