No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Escablish the ipsec vpn between huawei USG6600 and Third-part Firewall

Publication Date:  2018-06-30 Views:  2228 Downloads:  0

Issue Description

Customer want to configure IPsec Site to Site VPN between Huawei USG6300 and third-part Firewall, after configuring all required parameters successfully on both ends, But it not working and getting error after diagnosis.

Product: Huawei USG6600 V500R001C60SPC200

Third-part device: Checkpoint

Alarm Information

Handling Process

1 Compare the ike and ipsec configuration found all of the parameter is same.

USG6600 configuration as follow:

CheckPoint Firewall Configuration as follow:

Local Address:

Peer Address:

Authentication Type:Pre-Share-Key

Remote Address Pool:

Local Address Pool:


IKE Parameter:

IKE:Version V2


Integity Hash:MD5


SA Timeout:86400


IPsec Parameter:

Encryption Mode:Tunnel

Security Protocol:ESP

ESP Encryption:3DES

ESP Authentication:MD5


SA Timeout:By time:3600 Seconds

           By Traffic:20971520 KB


2 Check the security policy and NAT policy configuration

3 Check the route table

Root Cause

ike version and dh group can’t negotiate successfully with third-part firewall,


Change the IKE version from V2 to V1 and DH group from 14 to 2 between both sides firewall.


There may have compatibility issues when establish IPsec VPN between third-part is recommend use the single algorithm example DESMD5 without SHA2, and IKE use V1.