IPsec VPN between Huawei USG in eNSP and Cisco ASA firewall in GNS3

This post is about IPsec VPN between Huawei USG in eNSP and Cisco ASA firewall in GNS3. Please see more below.

I have tried to establish IPSec VPN between Huawei USG6000V and Cisco ASA firewall in a simulation environment as below.

1. Huawei USG6000V in eNSP connected to the Cloud;

2. Cisco ASA firewall in GNS3 connected to Cloud;

3. And the two firewalls connected to the tunnel interface between the two simulators.

And I can establish the IPSEC VPN successfully between them.

Attached the topology and configuration done on both sides, verified and tested for IPsec; also, you can refer to the below link:

https://support.huawei.com/enterprise/en/doc/EDOC1000154805

• USG configuration

• ===========

• #

  acl number 3000

   rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255

   rule 10 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

  #

  ipsec proposal tran1

   esp authentication-algorithm sha1

   esp encryption-algorithm aes-128

  #

  ike proposal 1

   encryption-algorithm aes-128

   dh group2

   authentication-algorithm sha1

   authentication-method pre-share

   integrity-algorithm hmac-sha2-256

   prf hmac-sha2-256

  #

  ike peer cisco

   undo version 2

   pre-shared-key %@%@%bo_EQ57==V+SP)(H#kY;TT4%@%@

   ike-proposal 1

   remote-address 1.1.3.2

  #

  ipsec policy map1 1 isakmp

   security acl 3000

   ike-peer cisco

   proposal tran1

  #

  
  

    

  #

  interface GigabitEthernet0/0/0

   undo shutdown

   ip binding vpn-instance default

   ip address 192.168.0.1 255.255.255.0

   service-manage http permit

   service-manage https permit

   service-manage ping permit

   service-manage ssh permit

   service-manage snmp permit

   service-manage telnet permit

   service-manage netconf permit

  #

  interface GigabitEthernet1/0/0

   undo shutdown

  #

  interface GigabitEthernet1/0/1

   undo shutdown

   ip address 10.1.1.1 255.255.255.0

   service-manage ping permit

  #

  interface GigabitEthernet1/0/2

   undo shutdown

   ip address 1.1.3.1 255.255.255.0

   service-manage ping permit

   ipsec policy map1

  #

  interface GigabitEthernet1/0/3

   undo shutdown

  #

  interface GigabitEthernet1/0/4

   undo shutdown

  #

  interface GigabitEthernet1/0/5

   undo shutdown

  #

  interface GigabitEthernet1/0/6

   undo shutdown

  #

  interface Virtual-if0

  #

  interface NULL0

  #

  firewall zone local

   set priority 100

  #

  firewall zone trust

   set priority 85

   add interface GigabitEthernet0/0/0

   add interface GigabitEthernet1/0/1

  #

  firewall zone untrust

   set priority 5

   add interface GigabitEthernet1/0/2

  #

  firewall zone dmz

   set priority 50

  #

  
  

  #

  ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

  #

  undo ssh server compatible-ssh1x enable

  #

  
  

  #

  security-policy

   rule name 1

    source-zone untrust

    destination-zone trust

    source-address 10.1.3.0 24

    action permit

   rule name 2

    source-zone trust

    destination-zone untrust

    source-address 10.1.1.0 25

    destination-address 10.1.3.0 24

    action permit

   rule name 3

    source-zone local

    destination-zone untrust

    source-address 1.1.3.1 32

    destination-address 1.1.3.2 32

    action permit

   rule name 4

    source-zone untrust

    destination-zone local

    source-address 1.1.3.2 32

    destination-address 1.1.3.1 32

    action permit

  
  

• ASA Firewall

• ===========

• interface GigabitEthernet0/0

   shutdown

   no nameif

   no security-level

   no ip address

  !             

  interface GigabitEthernet0/1

   nameif in    

   security-level 90

   ip address 10.1.3.1 255.255.255.0 

  !             

  interface GigabitEthernet0/2

   nameif out   

   security-level 10

   ip address 1.1.3.2 255.255.255.0 

  !             

  
  

  access-list 10 extended permit icmp any any 

  access-list ipsec extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0 

  access-list ipsec extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 

  
  

  access-group 10 in interface in

  access-group 10 out interface in

  access-group 10 in interface out

  route out 0.0.0.0 0.0.0.0 1.1.3.1 1

  
  

  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac 

  
  

  crypto map ipsec_map 10 match address ipsec

  crypto map ipsec_map 10 set peer 1.1.3.1 

  crypto map ipsec_map 10 set ikev1 transform-set myset

  crypto map ipsec_map interface out

  
  

          

  crypto ikev1 enable out

  crypto ikev1 policy 10

   authentication pre-share

   encryption aes

   hash sha     

   group 2      

   lifetime 86400

  
  

  tunnel-group 1 type ipsec-l2l

  tunnel-group 1.1.3.1 type ipsec-l2l

  tunnel-group 1.1.3.1 ipsec-attributes

   ikev1 pre-shared-key *****

  !

This is what I want to talk about/share with you today, thank you!