华为USG与思科ASA ipsec ikev2 对接配置USG:#acl number 3000rule 5 permit ip source 10.1.1.0 0.0.0.255 destinati
.
华为USG与思科ASA ipsec ikev2 对接配置
USG:
#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike peer 1
pre-shared-key freeit123
ike-proposal 1
remote-address 100.1.1.2
#
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy l2l 10 isakmp
security acl 3000
ike-peer 1
proposal 1
interface GigabitEthernet0/0/1
ip address 100.1.1.1 255.255.255.0
ipsec policy l2l
#
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
policy interzone trust untrust inbound
policy 0
action permit
policy source 172.16.1.0 mask 24
policy destination 10.1.1.0 mask 24
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 10.1.1.0 mask 24
[FW]dis ike sa
13:55:38 2014/07/07
current ike sa number: 2
--------------------------------------------------------------------
conn-id peer flag phase ***
--------------------------------------------------------------------
40002 100.1.1.2 RD|ST v2:2 public
125 100.1.1.2 RD|ST v2:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD
[FW]dis ipsec sa
13:55:53 2014/07/07
===============================
Interface: GigabitEthernet0/0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "l2l"
sequence number: 10
mode: isakmp
***: public
-----------------------------
connection id: 40002
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 9m 37s
tunnel local : 100.1.1.1 tunnel remote: 100.1.1.2
flow source: 10.1.1.0-10.1.1.255 0-65535 0
flow destination: 172.16.1.0-172.16.1.255 0-65535 0
[inbound ESP SAs]
spi: 416647248 (0x18d58850)
***: public said: 2 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1
[FW]display ipsec statistics
13:56:12 2014/07/07
the security packet statistics:
input/output security packets: 8/8
input/output security bytes: 480/480
input/output dropped security packets: 0/0
the encrypt packet statistics
send sae:8, recv sae:8, send err:0
local cpu:8, other cpu:0, recv other cpu:0
intact packet:10, first slice:0, after slice:0
the decrypt packet statistics
send sae:8, recv sae:8, send err:0
local cpu:8, other cpu:0, recv other cpu:0
reass first slice:0, after slice:0, len err:0
ASA:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 100.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
access-list L2L extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto ipsec ikev2 ipsec-proposal L2L
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map L2L 10 match address L2L
crypto map L2L 10 set peer 100.1.1.1
crypto map L2L 10 set ikev2 ipsec-proposal L2L
crypto map L2L interface outside
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
crypto ikev2 enable outside
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key freeit123
ikev2 local-authentication pre-shared-key freeit123
ciscoasa(config)# show crypto ikev2 sa
IKEv2 SAs:
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
5884085 100.1.1.2/500 100.1.1.1/500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/15 sec
Child sa: local selector 172.16.1.0/0 - 172.16.1.255/65535
remote selector 10.1.1.0/0 - 10.1.1.255/65535
ESP spi in/out: 0xce6c4720/0x18d58850
ciscoasa(config)# show crypto ipsec sa
interface: outside
Crypto map tag: L2L, seq num: 10, local addr: 100.1.1.2
access-list L2L extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 100.1.1.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 100.1.1.2/500, remote crypto endpt.: 100.1.1.1/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 18D58850