No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Reference for IPSec Interconnection Between the USG2210 and ASA5510

Publication Date:  2019-01-22 Views:  162 Downloads:  0

Issue Description

Reference for IPSec interconnection between the USG2210 ( and ASA5510 (

Many Huawei USG and Cisco ASA devices are interconnected on live networks. The mechanisms of the devices are similar, but their commands are different. Note the following information in red:

Alarm Information


Handling Process

Configuration on the USG2210:

acl number 3500
rule 5 permit ip source destination
rule 10 permit ip source destination
rule 15 permit ip source destination
rule 20 permit ip source destination
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 (group1 is used by default)
sa duration 28800 (for consistency; 86400 is used on the USG by default)

ike peer a
pre-shared-key Yealink!123
ike-proposal 1
undo version 2 (version1 is recommended for interconnection with non-Huawei devices.)

ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des

ipsec policy map1 10 isakmp
security acl 3500
pfs dh-group2 (consistent with the ASA; dh-group1 is used by the USG by default)
ike-peer a
proposal 1

nat-policy interzone trust untrust outbound (Do not perform NAT on IPSec traffic)
policy 0
action no-nat
policy source mask
policy destination mask 24

ip address
ipsec policy map1 auto-neg

Configuration on the ASA5510:

crypto isakmp enable outside (Enable the ISAKMP policy on the interface.)
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2 (group 1 is used on the USG by default.)
lifetime 28800
crypto isakmp key Yealink!123 address (Set a pre-shared key.)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (similar to ipsec proposal on the USG)
access-list HZhuawei permit ip
access-list HZhuawei permit ip
access-list HZhuawei permit ip
access-list HZhuawei permit ip
crypto map outside_map0 30 match address HZhuawei (IPSec interested traffic)
crypto map outside_map0 30 set peer
crypto map outside_map0 30 set transform-set ESP-3DES-SHA
crypto map outside_map0 30 set security-association lifetime seconds 3600
(3600 is the default value for both the USG and ASA.)
crypto map outside_map0 30 set pfs group2 (group1 is used on the USG by default. Note that the values on the two devices must be the same.)

Run the following command on the USG. The command output shows that the tunnel has been established.
[USG2200] dis ike sa
17:06:05 2012/02/21
current ike sa number: 5
connection-id peer vpn flag phase doi
0x71 0 RD|ST v1:2 IPSEC
0x70 0 RD|ST v1:1 IPSEC

Root Cause