华为USG与思科ASA ipsec ikev2 对接配置

 

USG:

#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
#
ike peer 1
pre-shared-key freeit123
ike-proposal 1
remote-address 100.1.1.2
#
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy l2l 10 isakmp
security acl 3000
ike-peer 1                               
proposal 1

interface GigabitEthernet0/0/1
ip address 100.1.1.1 255.255.255.0
ipsec policy l2l
#
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0


firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2

firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#

policy interzone trust untrust inbound
policy 0
  action permit
  policy source 172.16.1.0 mask 24
  policy destination 10.1.1.0 mask 24
#
policy interzone trust untrust outbound
policy 0
  action permit
  policy source 10.1.1.0 mask 24


[FW]dis ike sa
13:55:38  2014/07/07
current ike sa number: 2
--------------------------------------------------------------------
conn-id    peer                    flag          phase ***
--------------------------------------------------------------------
40002      100.1.1.2               RD|ST         v2:2  public
125        100.1.1.2               RD|ST         v2:1  public


  flag meaning
  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING
  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD

[FW]dis ipsec sa
13:55:53  2014/07/07
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "l2l"
  sequence number: 10
  mode: isakmp
  ***: public
  -----------------------------
    connection id: 40002
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 9m 37s
    tunnel local : 100.1.1.1    tunnel remote: 100.1.1.2
    flow      source: 10.1.1.0-10.1.1.255 0-65535 0
    flow destination: 172.16.1.0-172.16.1.255 0-65535 0


    [inbound ESP SAs] 
      spi: 416647248 (0x18d58850)
      ***: public  said: 2  cpuid: 0x0000
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1

[FW]display ipsec statistics 
13:56:12  2014/07/07
  the security packet statistics:
    input/output security packets: 8/8
    input/output security bytes: 480/480

    input/output dropped security packets: 0/0
    the encrypt packet statistics
      send sae:8, recv sae:8, send err:0
      local cpu:8, other cpu:0, recv other cpu:0
      intact packet:10, first slice:0, after slice:0
    the decrypt packet statistics
      send sae:8, recv sae:8, send err:0
      local cpu:8, other cpu:0, recv other cpu:0
      reass  first slice:0, after slice:0, len err:0


ASA:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 100.1.1.2 255.255.255.0 
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0 
!
access-list L2L extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 
crypto ipsec ikev2 ipsec-proposal L2L
protocol esp encryption 3des
protocol esp integrity sha-1

crypto map L2L 10 match address L2L
crypto map L2L 10 set peer 100.1.1.1 
crypto map L2L 10 set ikev2 ipsec-proposal L2L
crypto map L2L interface outside

crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
crypto ikev2 enable outside
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key freeit123
ikev2 local-authentication pre-shared-key freeit123



ciscoasa(config)# show crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
  5884085         100.1.1.2/500         100.1.1.1/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/15 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 10.1.1.0/0 - 10.1.1.255/65535
          ESP spi in/out: 0xce6c4720/0x18d58850  

ciscoasa(config)# show crypto ipsec sa
interface: outside
    Crypto map tag: L2L, seq num: 10, local addr: 100.1.1.2

      access-list L2L extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0 
      local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

      current_peer: 100.1.1.1


      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 100.1.1.2/500, remote crypto endpt.: 100.1.1.1/500
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 18D58850