Reference for IPSec Interconnection Between the USG2210 and ASA5510

Reference for IPSec interconnection between the USG2210 (115.192.185.102) and ASA5510 (125.77.254.53)

Many Huawei USG and Cisco ASA devices are interconnected on live networks. The mechanisms of the devices are similar, but their commands are different. Note the following information in red:

None

Configuration on the USG2210:

acl number 3500
rule 5 permit ip source 10.4.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 10.4.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
rule 15 permit ip source 10.4.1.0 0.0.0.255 destination 10.2.0.0 0.0.255.255
rule 20 permit ip source 10.4.1.0 0.0.0.255 destination 10.3.0.0 0.0.255.255
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 (group1 is used by default)
sa duration 28800 (for consistency; 86400 is used on the USG by default)


ike peer a
pre-shared-key Yealink!123
ike-proposal 1
undo version 2 (version1 is recommended for interconnection with non-Huawei devices.)
remote-address 125.77.254.53


ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des


ipsec policy map1 10 isakmp
security acl 3500
pfs dh-group2 (consistent with the ASA; dh-group1 is used by the USG by default)
ike-peer a
proposal 1

nat-policy interzone trust untrust outbound (Do not perform NAT on IPSec traffic)
policy 0
action no-nat
policy source 10.4.1.0 mask 255.255.255.0
policy destination 192.168.1.0 mask 24

GigabitEthernet0/0/0
ip address 115.192.185.102 255.255.255.0
ipsec policy map1 auto-neg

Configuration on the ASA5510:



crypto isakmp enable outside (Enable the ISAKMP policy on the interface.)
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2 (group 1 is used on the USG by default.)
lifetime 28800
!
crypto isakmp key Yealink!123 address 115.192.185.102 (Set a pre-shared key.)
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (similar to ipsec proposal on the USG)
!
access-list HZhuawei permit ip 192.168.1.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.2.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.3.0.0 255.255.0.0 10.4.1.0 255.255.255.0
!
crypto map outside_map0 30 match address HZhuawei (IPSec interested traffic)
crypto map outside_map0 30 set peer 115.192.185.102
crypto map outside_map0 30 set transform-set ESP-3DES-SHA
crypto map outside_map0 30 set security-association lifetime seconds 3600
(3600 is the default value for both the USG and ASA.)
crypto map outside_map0 30 set pfs group2 (group1 is used on the USG by default. Note that the values on the two devices must be the same.)

。
Run the following command on the USG. The command output shows that the tunnel has been established.
[USG2200] dis ike sa
17:06:05 2012/02/21
current ike sa number: 5
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x71 125.77.254.53 0 RD|ST v1:2 IPSEC
0x70 125.77.254.53 0 RD|ST v1:1 IPSEC

None