H3C MSR 3016 and Cisco 5510 ipsec vpn Interconnection

H3C MSR 3016 and Cisco 5510 ipsec vpn connection preface: Book connected to the http://www.bkjia.com/net/201210/162034.html, a previous branch of a VPN (cisco5510) device is damaged, temporary find a backup VPN (H3C Msr3016 ), after the system is refreshed, set ipsec vpn. Fortunately, the CISCO5510 configuration was backed up and H3C msr 3016 was reconfigured according to the original configuration. Www.2cto.com

This is the overall network topology. This article focuses on the establishment of an ipsec vpn between h3c msr3016 (fixed IP) and Cisco 5510 (Dynamic IP. First, configure H3C MSR 3016 (Headquarters): (Omitted irrelevant) [ruby] version 5.20, Release 2207P02, basic acl number 3000 rule 0 permit ip source 192.168.100.0 0.0.255 destination 192.168.0.0 0.0.0.255 (data flow from the headquarters of the Branch to the headquarters of the Group) acl number 3010 name denynat rule 1 deny ip source 192.168.100.0 0.0.255 destination 192.168.0.0 0.0.255. 0 0.0.0.255) www.2cto.com acl number 3030 rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0 0.0.0.255 (data flow from the headquarters of the Branch to the sub-departments of the Branch) # ike proposal 10 (ike security proposal uses the default H3C interconnection with the group) # ike proposal 20 authentication-algorithm md5 (ike security proposal is interconnected with Cisco of sub-departments of the Branch) # ike peer jtuanzongbu ike peer name (matching Group Headquarters) exchange-mode aggressive (aggressive mode) pre-shared-key cipher n3MZ9hvCSV3O 1 hkSNpRHtg = shared key id-type name remote-name jtzongbu remote-address 202.106.0.100 local-address 202.106.100.100 nat traversal (nat penetration) # ike peer fenbu ike peer name (matching sub-departments of a branch) exchange-mode aggressive pre-shared-key simple 000000 id-type name remote-name Fenbu1 (Cisco device name) because Cisco5510 is the dynamic IP address, the local-address 202.106.100.100 # ipsec proposal 10 ipsec Security proposal # ipsec policy branch 10 isakmp (set ipsec p Olicy name sub-number here is 10, 20) security acl 3000 pfs dh-group1 ike-peer jtzongbu proposal 10 # ipsec policy branch 20 isakmp security acl 3030 pfs dh-group1 ike-peer fenbu proposal 10 # interface Ethernet0/0 port link-mode route description outside nat outbound 3010 ip address 202.106.100.100 route 248 ipsec policy branch apply this policy on the Internet interface # interface Ethernet0/1 port link-mode route description inside ip Address 192.168.100.1 route 255.255.0 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 202.106.100.101 set the default route www.2cto.com Cisco5510 (sub-door of the branch office) Configuration: [ruby] Fenbu1 # show configuration interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.200.1 255.255.255.0! Interface Management0/0 nameif management security-level 100 ip address 192.168.50.1 255.255.255.0 management-only! Boot system disk0:/asa831-k8.bin ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 202.96.128.86 object network obj-192.168.200.0 configure the network object region, convenient back call subnet 192.168.200.0 255.255.255.0 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.255.0 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network obj-192.168.100.0 subnet 192.168.100.0 255. 255.0.0 object network obj_any subnet 0.0.0.0 0.0.0.0 access-list 100 extended permit ip any set ACL table access-list 200 extended permit ip host 192.168.200.20 any access-list 200 extended permit ip host 192.168.200.30 any access -list 102 extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list 103 extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255. 0 nat (inside, any) source static obj-192.168.200.0 obj-192.168.200.0 destination static obj-192.168.0.0 obj-192.168.0.0 nat (inside, any) source static obj-192.168.200.0 obj-192.168.200.0 destination static obj-192.168.100.0 obj-192.168.100.0! Object network obj_any nat (inside, outside) dynamic interface timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0: 01: 00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 192.168.100.0 255.255.255.0 management http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set firstset esp-des esp-md5-hmac (ipse C configuration) crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map mymap 2 match address 103 (create a security map equivalent to the ipsec policy of H3C) crypto map mymap 2 set pfs group1 crypto map mymap 2 set peer 202.106.0.100 branch sub-department interconnection with Group Headquarters crypto map mymap 2 set transform-set firstset crypto map mymap 2 set phase1-mode aggressive group1 crypto map mymap 10 mat Ch address 102 crypto map mymap 10 set pfs group1 crypto map mymap 10 set peer 202.106.100.100 sub-departments of the Branch are interconnected with the headquarters of the branch. crypto map mymap 10 set transform identity address crypto isakmp enable outside crypto isakmp policy 1 (ike configuration, configure multiple matches with different IKE encryption.) authentication pre-share encryption des hash md5 group 1 lifetime 86400 crypto isakmp policy 20 authe Ntication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 60 tunnel-group DefaultL2LGroup ipsec- attributes pre-shared-key ***** tunnel-group 202.106.100.100 type ipsec-l2l tunnel-group 202.106.100.100 ipsec-attributes (shared key for Branch Headquarters) pre-shared-key ***** tunnel-group 2 02.106.0.100 type ipsec-l2l tunnel-group 202.106.0.100 ipsec-attributes (group headquarters shared key) pre-shared-key ***** configuration is complete!