Configuration of the security association on the USG firewalls

Configuration of the security association on the USG firewalls
Create an IPSec SA in IKE negotiation mode.
1. The communication between network A and network B requires an IPSec tunnel, established between USG_A and USG_B, to encrypt and transmit data. The internal network segment of network A is 10.1.1.0/24, and the USA public IP address is 202.38.163.1/24. The internal network segment of network B is 10.1.2.0/24, and the public IP address is 202.38.169.1/24.
Network A---USG_A----INTERNET----USG_B---Network B
2. The configuration procedure is as follows:
[USG_A] acl 3000 //Configure ACL rules used to match the sensitive traffic.
[USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[USG_A-acl-adv-3000] quit
[USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure the route.
[USG_A] ipsec proposal tran1 //Configure the IPSec security proposal.
[USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG_A-ipsec-proposal-tran1] transform esp
[USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_A-ipsec-proposal-tran1] quit
[USG_A] ike proposal 10 //Configure the IKE security proposal.
[USG_A-ike-proposal-10] authentication-method pre-share
[USG_A-ike-proposal-10] authentication-algorithm sha1
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_A-ike-proposal-10] quit
[USG_A] ike peer b //Configure the IKE peer.
[USG_A-ike-peer-b] ike-proposal 10
[USG_A-ike-peer-b] remote-address 202.38.169.1
[USG_A-ike-peer-b] pre-shared-key abcde
[USG_A-ike-peer-b] quit
[USG_A] ipsec policy map1 10 isakmp //Configure IPSec security policies.
[USG_A-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_A-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_A-ipsec-policy-isakmp-map1-10] ike-peer b
[USG_A-ipsec-policy-manual-map1-10] quit
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

[USG_B] acl 3000 //Configure ACL rules used to match the sensitive traffic.
[USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[USG_B-acl-adv-3000] quit
[USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure the route.
[USG_B] ipsec proposal tran1 //Configure the IPSec security proposal.
[USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG_B-ipsec-proposal-tran1] transform esp
[USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_B-ipsec-proposal-tran1] quit
[USG_B] ike proposal 10 //Configure the IKE security proposal.
[USG_B-ike-proposal-10] authentication-method pre-share
[USG_B-ike-proposal-10] authentication-algorithm sha1
[USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_B-ike-proposal-10] quit
[USG_B] ike peer a //Configure the IKE peer.
[USG_B-ike-peer-a] ike-proposal 10
[USG_B-ike-peer-a] remote-address 202.38.163.1
[USG_B-ike-peer-a] pre-shared-key abcde
[USG_B-ike-peer-a] quit
[USG_B] ipsec policy map1 10 isakmp //Configure IPSec security policies.
[USG_B-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_B-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_B-ipsec-policy-isakmp-map1-10] ike-peer a
[USG_B-ipsec-policy-isakmp-map1-10] quit
[USG_B] interface GigabitEthernet 0/0/2
[USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

Scroll to top