No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Failure in the USG5300 IPSec Interconnecting with vender PIX

Publication Date:  2019-07-05 Views:  487 Downloads:  0

Issue Description

Interconnect the USG5300 IPSec and vender PIX by referring to parameters provided by vender as follows:

crypto ipsec transform-set dessha esp-des esp-md5-hmac                         
crypto map ipsec 480 match address ipsec-aaa                                   
crypto map ipsec 480 set peer *.*.*.*                                     
crypto map ipsec 480 set transform-set dessha                                  
crypto map ipsec 480 set security-association lifetime seconds 86400        
crypto map ipsec interface outside                                             
crypto isakmp enable outside                                                   
crypto isakmp policy 1                                                         
 authentication pre-share                                                       
 encryption aes                                                                
 hash sha                                                                      
 group 2                                                                        
 lifetime 86400
Set Huawei Symantec device according to the preceding parameters. Set the negotiation mode as main mode and the IP type as IP authentication. The communication fails.

Alarm Information


Handling Process

By analyzing the symptom and consulting R&D personnel, Huawei Symantec devices are limited in IPSec configuration currently. The two configuration options are main mode for IP authentication or aggressive mode for name authentication. Because vender devices are running on the live network, any parameter modification is impossible.
Therefore, in the communication between devices of vender and Huawei Symantec, the only solution is to set the Huawei Symantec device into aggressive mode for name authentication. Also the communication can be realized only if our device proactively initiates negotiation. Therefore, it is recommended that set the lifetime of Huawei Symantec device shorter than that of vender device. This setting ensures that re-negotiations are initiated by Huawei Symantec device and therefore ensures the normal communication between two devices.

Root Cause

By default, vender PIX is set into master mode as negotiation mode and name authentication as ID type. Therefore, the communication fails.


In the future, Huawei Symantec devices will support name authentication in main mode. The problem in this case then can be solved.