No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

USG3000 and ROS ipsec interconnection

Publication Date:  2012-11-08  |   Views:  1165  |   Downloads:  0  |   Author:  SU1001429751  |   Document ID:  EKB1000019201

Contents

Issue Description

USG3000 and ROS make ipsec interconnection, ROS is a soft RT.

According to the ROS screen capture to configure USG device

Alarm Information

none

Handling Process

ROS configuration




USG3000 configuration
ike proposal 1                  (use the default configuration,the same as ros)
ike proposal 2
authentication-algorithm md5    (use MD5, the same as ros)

ike peer xianghe
exchange-mode aggressive           (two ends all use aggressive mode)    
pre-shared-key asdf5566
ike-proposal 2
remote-address 59.108.34.19

ipsec policy 2 25 isakmp
security acl 3017
ike-peer xianghe                      
proposal 1

acl number 3017
description for_xianghe
rule 15 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.0 0.0.0.255        (the interested flow and ros as mirror)

acl number 3001   
description for_nat
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255                 (NAT deny go ipsec flow,ros do not exist the problem)rule 5 permit ip source 192.168.0.0 0.0.255.255
firewall interzone trust untrust
nat outbound 3001 interface GigabitEthernet0/0
interface GigabitEthernet0/0
mtu 1400
description to_wan_chengdu_wuhan
ip address 59.108.109.82 255.255.255.240
undo ip fast-forwarding qff      (USG3000 need close the fast-forwarding function)
ipsec policy 2

Root Cause

none

Suggestions

Although make ipsec interconnection with ROS device is easy, but seldom meet it and is not familiar with ROS device, so can refer to this case.