IPsec VPN between Huawei USG in eNSP and cisco ASA firewall in GNS3

566 0 7 0
  •    I have tried to establish IPSec VPN between Huawei USG6000V and Cisco ASA firewall in simulation environment as below

    1)       Huawei USG6000V in eNSP connected to cloud

    2)       Cisco ASA firewall in GNS3 connected to cloud

    3)       And the two firewalls connected to tunnel interface between the two simulators.

     

    And I can establish the IPSEC VPN successfully between them

    Attached the topology and configuration done on both side and verification and test for IPsec , also you can refer to the below link for your reference

    https://support.huawei.com/enterprise/en/doc/EDOC1000154805


  • USG configuration

  • ===========

  • #

    acl number 3000

     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255

     rule 10 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

    #

    ipsec proposal tran1

     esp authentication-algorithm sha1

     esp encryption-algorithm aes-128

    #

    ike proposal 1

     encryption-algorithm aes-128

     dh group2

     authentication-algorithm sha1

     authentication-method pre-share

     integrity-algorithm hmac-sha2-256

     prf hmac-sha2-256

    #

    ike peer cisco

     undo version 2

     pre-shared-key %@%@%bo_EQ57==V+SP)(H#kY;TT4%@%@

     ike-proposal 1

     remote-address 1.1.3.2

    #

    ipsec policy map1 1 isakmp

     security acl 3000

     ike-peer cisco

     proposal tran1

    #


      

    #

    interface GigabitEthernet0/0/0

     undo shutdown

     ip binding vpn-instance default

     ip address 192.168.0.1 255.255.255.0

     service-manage http permit

     service-manage https permit

     service-manage ping permit

     service-manage ssh permit

     service-manage snmp permit

     service-manage telnet permit

     service-manage netconf permit

    #

    interface GigabitEthernet1/0/0

     undo shutdown

    #

    interface GigabitEthernet1/0/1

     undo shutdown

     ip address 10.1.1.1 255.255.255.0

     service-manage ping permit

    #

    interface GigabitEthernet1/0/2

     undo shutdown

     ip address 1.1.3.1 255.255.255.0

     service-manage ping permit

     ipsec policy map1

    #

    interface GigabitEthernet1/0/3

     undo shutdown

    #

    interface GigabitEthernet1/0/4

     undo shutdown

    #

    interface GigabitEthernet1/0/5

     undo shutdown

    #

    interface GigabitEthernet1/0/6

     undo shutdown

    #

    interface Virtual-if0

    #

    interface NULL0

    #

    firewall zone local

     set priority 100

    #

    firewall zone trust

     set priority 85

     add interface GigabitEthernet0/0/0

     add interface GigabitEthernet1/0/1

    #

    firewall zone untrust

     set priority 5

     add interface GigabitEthernet1/0/2

    #

    firewall zone dmz

     set priority 50

    #


    #

    ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

    #

    undo ssh server compatible-ssh1x enable

    #


    #

    security-policy

     rule name 1

      source-zone untrust

      destination-zone trust

      source-address 10.1.3.0 24

      action permit

     rule name 2

      source-zone trust

      destination-zone untrust

      source-address 10.1.1.0 25

      destination-address 10.1.3.0 24

      action permit

     rule name 3

      source-zone local

      destination-zone untrust

      source-address 1.1.3.1 32

      destination-address 1.1.3.2 32

      action permit

     rule name 4

      source-zone untrust

      destination-zone local

      source-address 1.1.3.2 32

      destination-address 1.1.3.1 32

      action permit


  • ASA Firewall

  • ===========

  • interface GigabitEthernet0/0

     shutdown

     no nameif

     no security-level

     no ip address

    !             

    interface GigabitEthernet0/1

     nameif in    

     security-level 90

     ip address 10.1.3.1 255.255.255.0 

    !             

    interface GigabitEthernet0/2

     nameif out   

     security-level 10

     ip address 1.1.3.2 255.255.255.0 

    !             


    access-list 10 extended permit icmp any any 

    access-list ipsec extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0 

    access-list ipsec extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 


    access-group 10 in interface in

    access-group 10 out interface in

    access-group 10 in interface out

    route out 0.0.0.0 0.0.0.0 1.1.3.1 1


    crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac 


    crypto map ipsec_map 10 match address ipsec

    crypto map ipsec_map 10 set peer 1.1.3.1 

    crypto map ipsec_map 10 set ikev1 transform-set myset

    crypto map ipsec_map interface out


            

    crypto ikev1 enable out

    crypto ikev1 policy 10

     authentication pre-share

     encryption aes

     hash sha     

     group 2      

     lifetime 86400


    tunnel-group 1 type ipsec-l2l

    tunnel-group 1.1.3.1 type ipsec-l2l

    tunnel-group 1.1.3.1 ipsec-attributes

     ikev1 pre-shared-key *****

    !             


This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top