No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

USG3000 and ROS ipsec interconnection

Publication Date:  2012-11-08  |   Views:  1165  |   Downloads:  0  |   Author:  SU1001429751  |   Document ID:  EKB1000019201


Issue Description

USG3000 and ROS make ipsec interconnection, ROS is a soft RT.

According to the ROS screen capture to configure USG device

Alarm Information


Handling Process

ROS configuration

USG3000 configuration
ike proposal 1                  (use the default configuration,the same as ros)
ike proposal 2
authentication-algorithm md5    (use MD5, the same as ros)

ike peer xianghe
exchange-mode aggressive           (two ends all use aggressive mode)    
pre-shared-key asdf5566
ike-proposal 2

ipsec policy 2 25 isakmp
security acl 3017
ike-peer xianghe                      
proposal 1

acl number 3017
description for_xianghe
rule 15 permit ip source destination        (the interested flow and ros as mirror)

acl number 3001   
description for_nat
rule 0 deny ip source destination                 (NAT deny go ipsec flow,ros do not exist the problem)rule 5 permit ip source
firewall interzone trust untrust
nat outbound 3001 interface GigabitEthernet0/0
interface GigabitEthernet0/0
mtu 1400
description to_wan_chengdu_wuhan
ip address
undo ip fast-forwarding qff      (USG3000 need close the fast-forwarding function)
ipsec policy 2

Root Cause



Although make ipsec interconnection with ROS device is easy, but seldom meet it and is not familiar with ROS device, so can refer to this case.