Publication Date: 2019-01-22 | Views: 438 | Downloads: 0 | Document ID: EKB1100001987
Reference for IPSec interconnection between
the USG2210 (115.192.185.102) and ASA5510 (125.77.254.53)
Many Huawei USG and Cisco ASA devices are interconnected on live networks. The
mechanisms of the devices are similar, but their commands are different. Note
the following information in red:
None
Configuration on the
USG2210:
acl number 3500
rule 5 permit ip source 10.4.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 10.4.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
rule 15 permit ip source 10.4.1.0 0.0.0.255 destination 10.2.0.0 0.0.255.255
rule 20 permit ip source 10.4.1.0 0.0.0.255 destination 10.3.0.0 0.0.255.255
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 (group1 is used by default)
sa duration 28800 (for consistency; 86400 is used on the USG by default)
ike peer a
pre-shared-key Yealink!123
ike-proposal 1
undo version 2 (version1 is
recommended for interconnection with non-Huawei devices.)
remote-address 125.77.254.53
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy map1 10 isakmp
security acl 3500
pfs dh-group2 (consistent with the ASA; dh-group1 is used by the USG by default)
ike-peer a
proposal 1
nat-policy interzone trust untrust outbound (Do not perform NAT on IPSec
traffic)
policy 0
action no-nat
policy source 10.4.1.0 mask 255.255.255.0
policy destination 192.168.1.0 mask 24
GigabitEthernet0/0/0
ip address 115.192.185.102 255.255.255.0
ipsec policy map1 auto-neg
Configuration on the ASA5510:
crypto isakmp enable outside (Enable the ISAKMP
policy on the interface.)
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2 (group 1 is used on the USG
by default.)
lifetime 28800
!
crypto isakmp key Yealink!123 address
115.192.185.102 (Set a pre-shared key.)
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des
esp-sha-hmac (similar to ipsec proposal on
the USG)
!
access-list HZhuawei permit ip 192.168.1.0
255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.2.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.3.0.0 255.255.0.0 10.4.1.0 255.255.255.0
!
crypto map outside_map0 30 match address HZhuawei
(IPSec interested traffic)
crypto map outside_map0 30 set peer 115.192.185.102
crypto map outside_map0 30 set transform-set ESP-3DES-SHA
crypto map outside_map0 30 set security-association lifetime seconds 3600
(3600 is the default value for both
the USG and ASA.)
crypto map outside_map0 30 set pfs group2 (group1 is used on the USG by default. Note that the values on the two devices must be
the same.)
。
Run the following command on the USG. The command output shows that the tunnel
has been established.
[USG2200] dis ike sa
17:06:05 2012/02/21
current ike sa number: 5
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x71 125.77.254.53 0 RD|ST v1:2 IPSEC
0x70 125.77.254.53 0 RD|ST v1:1 IPSEC
None