Hello everyone,
Today I will show you how to deal with the failure of constructing an IPSec VPN between Huawei USG6600 and a third-party firewall.Issue Description:
Customer want to configure IPsec Site to Site VPN between Huawei USG6300 and third-part Firewall, after configuring all required parameters successfully on both ends, But it not working and getting errors after diagnosis.
Product: Huawei USG6600 V500R001C60SPC200
Third-part device: Checkpoint
Alarm Information:
Handling Process:
1 Compare the ike and IPSec configuration found all of the parameters are the same.
USG6600 configuration as follow:
Check Point Firewall Configuration as
follow:
Local Address:2.2.2.2/32 Peer Address:1.1.1.1/32 Authentication Type:Pre-Share-Key Remote Address Pool:10.91.0.0/16 Local Address Pool:172.18.0.0/16 IKE Parameter: IKE:Version V2 Encryption:3DES Integity Hash:MD5 PRF:MD5 SA Timeout:86400 IPsec Parameter: Encryption Mode:Tunnel Security Protocol:ESP ESP Encryption:3DES ESP Authentication:MD5 PFS:None SA Timeout:By time:3600 Seconds By Traffic:20971520 KB |
2 Check the security policy and NAT policy configuration
3 Check the routing table
Root Cause:
ike version and dh group can’t negotiate successfully with third-party firewall
Solution:
Change the IKE version from V2 to V1 and DH group from 14 to 2 between both sides firewall.
Suggestions:
There may have
compatibility issues when establishing IPsec VPN between a third-part firewall.it is
recommend using the single algorithm example DES、MD5 without SHA2,
and IKE uses V1.
That is all I want to share with you! Thank you!
