Site-to-Site VPN ipsec между Cisco ASA 5505 и Huawei USG 2200

Создание туннеля site-to-site IPSec между двумя межсетевыми экранами Cisco ASA 5505 и Huawei USG 2200

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd AoEdbRBYKfdQlH8t encrypted

names

!

interface GigabitEthernet0

 nameif outside

 security-level 0

 ip address 172.19.19.52 255.255.255.0

!

interface GigabitEthernet1

 nameif inside

 security-level 100

 ip address 10.19.1.1 255.255.255.0

!

interface GigabitEthernet2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet3

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

object network localnet

 subnet 10.19.1.0 255.255.255.0

object network usg_net

 subnet 192.168.0.0 255.255.255.0

access-list outside_cryptomap extended permit ip object localnet object usg_net

pager lines 24

logging enable

logging asdm informational

logging class vpn asdm debugging

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static localnet localnet destination static usg_net usg_net

route outside 0.0.0.0 0.0.0.0 172.19.19.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 172.31.31.23

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

 anyconnect-essentials

group-policy GroupPolicy_172.31.31.23 internal

group-policy GroupPolicy_172.31.31.23 attributes

 vpn-tunnel-protocol ikev1

username user1 password aFt.o4zGLM3/WuZK encrypted

tunnel-group 172.31.31.23 type ipsec-l2l

tunnel-group 172.31.31.23 general-attributes

 default-group-policy GroupPolicy_172.31.31.23

tunnel-group 172.31.31.23 ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:a93428982c4fc8a65921ede3aac01dee

: end

Конфигурация Huawei USG 2200:

15:29:26  2014/07/22

#

sysname USG2110

#

l2tp domain suffix-separator @

#

 ike dpd interval 10

#

firewall packet-filter default permit interzone local trust direction inbound

firewall packet-filter default permit interzone local trust direction outbound

firewall packet-filter default permit interzone local untrust direction outbound

firewall packet-filter default permit interzone local dmz direction outbound

#

firewall packet-filter basic-protocol enable

#

ip df-unreachables enable

#

firewall ipv6 session link-state check

firewall ipv6 statistic system enable

#

dns resolve

#

vlan batch 1

#

 stp mode stp

#

firewall statistic system enable

#

pki certificate access-control-policy default permit

#

dns proxy enable

#

license-server domain lic.huawei.com

#

runmode firewall

#

update schedule ips daily 3:41

update schedule av daily 3:41

security server domain sec.huawei.com

#

web-manager enable

web-manager security enable port 8443

#

user-manage web-authentication security port 8888

#

l2fwdfast enable

#

acl number 3000

 rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 10.19.1.0 0.0.0.255

#

acl number 3001

#

ike proposal 1

 encryption-algorithm 3des

 dh group2 group1

#

ike peer ike21713319279

 exchange-mode auto

 pre-shared-key %$%$o,akP.$_);0Ofm@^SQ&EC>5,%$%$

 ike-proposal 1

 undo version 2

 remote-id-type none

 remote-address 172.19.19.52

#

ipsec proposal prop21713319279

 encapsulation-mode auto

 esp authentication-algorithm sha1

 esp encryption-algorithm 3des

#

ipsec policy ipsec2171331933 1 isakmp

 security acl 3000

 ike-peer ike21713319279

 alias asa

 proposal prop21713319279

 local-address applied-interface

 sa duration traffic-based 1843200

 sa duration time-based 3600

#

interface Vlanif1

 ip address 192.168.0.1 255.255.255.0

#

interface Cellular5/0/0

 link-protocol ppp

#

interface Cellular5/0/1

 link-protocol ppp

#

interface Ethernet0/0/0

 alias WAN

 ip address 172.31.31.23 255.255.255.0

 ipsec policy ipsec2171331933 auto-neg

#

interface Ethernet1/0/0

 portswitch

 port link-type access

#

interface Ethernet1/0/1

 portswitch

 port link-type access

#

interface Ethernet1/0/2

 portswitch

 port link-type access

#

interface Ethernet1/0/3

 portswitch

 port link-type access

#

interface Ethernet1/0/4

 portswitch

 port link-type access

#

interface Ethernet1/0/5

 portswitch

 port link-type access

#

interface Ethernet1/0/6

 portswitch

 port link-type access

#

interface Ethernet1/0/7

 portswitch

 port link-type access

#

interface Atm2/0/0

#

interface NULL0

#

firewall zone local

 set priority 100

#

firewall zone trust

 set priority 85

 detect ftp

 detect rtsp

 detect pptp

 add interface Ethernet1/0/0

 add interface Ethernet1/0/1

 add interface Ethernet1/0/2

 add interface Ethernet1/0/3

 add interface Ethernet1/0/4

 add interface Ethernet1/0/5

 add interface Ethernet1/0/6

 add interface Ethernet1/0/7

 add interface Vlanif1

 add interface Wlan-Bss1

#

firewall zone untrust

 set priority 5

 detect ftp

 detect rtsp

 detect pptp

 add interface Ethernet0/0/0

#

firewall zone dmz

 set priority 50

 detect ftp

 detect rtsp

 detect pptp

#

firewall interzone local trust

 detect ftp

 detect pptp

 detect rtsp

#

firewall interzone local untrust

 detect ftp

 detect pptp

 detect rtsp

#

firewall interzone local dmz

 detect ftp

 detect pptp

 detect rtsp

#

firewall interzone trust untrust

 detect ftp

 detect pptp

 detect rtsp

#

firewall interzone trust dmz

 detect ftp

 detect pptp

 detect rtsp

#

firewall interzone dmz untrust

 detect ftp

 detect pptp

 detect rtsp

#

#

aaa

 local-user admin password irreversible-cipher %@%@t.0tEQSe;Z#[7#P+SUh&UlcZNqaeMT!a/<SPGO)`Mj$;Lrid%@%@

 local-user admin service-type web terminal telnet

 local-user admin level 15

 local-user user1 password cipher %$%$<%J=9k93}>bZHNT&]d(2Vsja%$%$

 local-user user1 service-type web ssh

 local-user user1 level 15

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 domain dot1x

 #

#

nqa-jitter tag-version 1

#

ip route-static 0.0.0.0 0.0.0.0 172.31.31.1

#

stelnet server enable

ssh user user1

ssh user user1 authentication-type password

ssh user user1 service-type stelnet

ssh client first-time enable

#

banner enable

#

user-interface con 0

user-interface tty 2 3

 modem both

user-interface vty 0 4

 authentication-mode aaa

 protocol inbound ssh

#

slb

#

cwmp

#

right-manager server-group

#

wlan srm

 dot11a mandatory-rate 6 9 12 24

 dot11a supported-rate 18 36 48 54

 dot11b mandatory-rate 1 2

 dot11b supported-rate 5.5 11

 dot11g mandatory-rate 1 2 5.5 11

 dot11g supported-rate 6 9 12 18 24 36 48 54

#

wlan service-class 0 plain

 ssid gateway

 station max-number 124

 service-class enable

#

wlan service-class 1 plain

 ssid gateway1

 station max-number 124

 service-class enable

#

interface Wlan-Bss0

#

interface Wlan-Bss1

#

interface Wlan-rf4/0/0

 radio-type dot11gn

 channel auto

 bind service-class 0 interface wlan-bss 0

 bind service-class 1 interface wlan-bss 1

#

#

sim 1

sim 2

#

policy interzone local untrust inbound

 policy 1

  action permit

  policy service service-set ssh

 policy 2

  action permit

  policy source 172.19.19.0 0.0.0.255

#

policy interzone trust untrust inbound

 policy 1

  action permit

  policy source 10.19.1.0 0.0.0.255

  policy destination 192.168.0.0 0.0.0.255

#

policy interzone trust untrust outbound

 policy 1

  action permit

  policy source 192.168.0.0 0.0.0.255

  policy destination 10.19.1.0 0.0.0.255

#

return