Home / Notes / Huawei–Cisco IPSec Tunnel
NOTES · IPSEC / VPN INTEROP

Huawei Router to Cisco Router IPSec VPN Tunnel: Configuration and 5 Cross-Vendor Gotchas

A Huawei AR-series branch gateway building an IPSec tunnel to a Cisco router at headquarters over the public internet — the configuration steps, the data plan, and five interoperability issues that most often break traffic even after the tunnel shows “up”.

By the AtlasCommTech engineering team — 13 years of carrier & enterprise network deployments · Updated July 2026

Why This Tunnel Usually Isn't the Hard Part

I've built this exact cross-vendor pairing more than once — Huawei on one end, Cisco on the other.

Getting an IPSec tunnel to form between a Huawei router and a Cisco router is usually not the hard part — both sides will bring up phase 1 and phase 2 without much drama once the basic parameters match. What actually eats the time is what happens after the tunnel shows “up”: traffic that still won't pass, or a tunnel that works for a while and then quietly stops.

Below is the configuration this is based on — a Huawei branch gateway meeting a Cisco headquarters gateway over the public internet — plus the five interoperability issues that account for most of the “it's up but it doesn't work” tickets I've seen on this pairing.

Topology and Data Plan

One tunnel interface on each side, carrying traffic between the branch subnet and the headquarters subnet.

RouterAHuawei branch gateway RouterBCisco HQ gateway Internet 1.1.2.10 1.1.1.10 IPSec Tunnel · Tunnel0 10.2.1.2 10.2.1.1 Branch private subnet10.1.1.0/24 HQ private subnet10.1.2.0/24

Diagram labels are kept in English for engineering clarity.

Addressing

ItemRouterA — Huawei branch gatewayRouterB — Cisco HQ gateway
Public (WAN) address1.1.2.101.1.1.10
Tunnel interface address10.2.1.210.2.1.1
Private subnet gateway10.1.1.110.1.2.1

Phase 1 — IKE Negotiation Parameters

ParameterValue (this example)
IKE versionIKEv1
Negotiation modeMain mode
Authentication methodPre-shared key
Pre-shared key (this example)huawei@123the source example's key; always set a unique key of your own.
Encryption algorithmaes-cbc-128
Authentication algorithmsha1
DH groupgroup5
DPDEnabled

Phase 2 — IPSec Negotiation Parameters

ParameterValue (this example)
Security protocolESP
Encapsulation modeTunnel
Encryption algorithmaes-128
Authentication algorithmsha1
SA lifetime3600 seconds (default)
PFSDisabled

Configuration Highlights — Huawei Side

Six steps turn a plain Tunnel interface into one that is actually protected by IPSec.

  1. Configure interface IP addresses and a static route so both sides' public-network paths are reachable.
  2. Create the Tunnel interface with type IPSec, and point its source and destination at the two public IP addresses.
  3. Optional: run a dynamic routing protocol (OSPF, in this example) over the tunnel so the far-end private subnet is reachable without static routes — useful when the branch subnet is large.
  4. Define an IKE proposal and an IKE peer — the phase-1 attributes: encryption, authentication, DH group, pre-shared key and DPD.
  5. Define an IPSec proposal (ESP, tunnel mode, encryption, authentication) and an IPSec profile that references both the proposal and the IKE peer.
  6. Apply the IPSec profile to the Tunnel interface so it actually gets IPSec protection.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1

[RouterA] interface Tunnel0/0/0
[RouterA-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0
[RouterA-Tunnel0/0/0] tunnel-protocol ipsec
[RouterA-Tunnel0/0/0] source gigabitethernet 1/0/0
[RouterA-Tunnel0/0/0] destination 1.1.1.10
[RouterA-Tunnel0/0/0] quit

[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterA-ike-proposal-5] authentication-algorithm sha1
[RouterA-ike-proposal-5] dh group5
[RouterA-ike-proposal-5] authentication-method pre-share
[RouterA-ike-proposal-5] quit

[RouterA] ike peer RouterA v1
[RouterA-ike-peer-RouterA] ike-proposal 5
[RouterA-ike-peer-RouterA] pre-shared-key cipher huawei@123
[RouterA-ike-peer-RouterA] dpd type periodic
[RouterA-ike-peer-RouterA] dpd msg seq-hash-notify
[RouterA-ike-peer-RouterA] quit

[RouterA] ipsec proposal RouterA
[RouterA-ipsec-proposal-RouterA] transform esp
[RouterA-ipsec-proposal-RouterA] encapsulation-mode tunnel
[RouterA-ipsec-proposal-RouterA] esp authentication-algorithm sha1
[RouterA-ipsec-proposal-RouterA] esp encryption-algorithm aes-128

[RouterA] ipsec profile profile1
[RouterA-ipsec-profile-profile1] ike-peer RouterA
[RouterA-ipsec-profile-profile1] proposal RouterA
[RouterA-ipsec-profile-profile1] quit

[RouterA] interface tunnel 0/0/0
[RouterA-Tunnel0/0/0] ipsec profile profile1

What This Looks Like on the Cisco Side

Same five ingredients, different command family: crypto isakmp policy takes the place of the IKE proposal, crypto ipsec transform-set the place of the IPSec proposal, and a crypto ipsec profile bound to the tunnel interface with tunnel protection ipsec profile replaces the Huawei ipsec profile step.

RouterB#configure
RouterB(config)#interface gigabitethernet 0/1
RouterB(config-if)#ip address 1.1.1.10 255.255.255.0
RouterB(config-if)#exit
RouterB(config)#interface gigabitethernet 0/2
RouterB(config-if)#ip address 10.1.2.1 255.255.255.0
RouterB(config-if)#exit
RouterB(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1

RouterB(config)#interface tunnel 0
RouterB(config-if)#ip address 10.2.1.1 255.255.255.0
RouterB(config-if)#tunnel mode ipsec ipv4
RouterB(config-if)#tunnel source gigabitethernet0/1
RouterB(config-if)#tunnel destination 1.1.2.10
RouterB(config-if)#exit

RouterB(config)#crypto isakmp policy 10
RouterB(config-isakmp)#hash sha
RouterB(config-isakmp)#encryption aes 128
RouterB(config-isakmp)#group 5
RouterB(config-isakmp)#authentication pre-share
RouterB(config-isakmp)#exit
RouterB(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth
RouterB(config)#crypto isakmp keepalive 10 periodic

RouterB(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128
RouterB(cfg-crypto-trans)#mode tunnel
RouterB(cfg-crypto-trans)#exit

RouterB(config)#crypto ipsec profile profile1
RouterB(ipsec-profile)#set transform-set tran1
RouterB(ipsec-profile)#exit

RouterB(config)#interface tunnel 0
RouterB(config-if)#tunnel protection ipsec profile profile1
RouterB(config-if)#exit

Cisco-side syntax in this note was verified against Cisco IOS Software, C3900e-UNIVERSALK9-M, release 15.2(4)M1 — IOS-XE and ASA use related but not identical syntax.

5 Cross-Vendor Gotchas

These five account for most of the “tunnel is up, traffic isn't” and “it worked yesterday” tickets I've seen on this exact pairing.

1. DPD Packet Format Doesn't Match Between Vendors

SYMPTOMDead Peer Detection is enabled, and the tunnel behaves unpredictably instead of cleanly detecting a dead peer.

CAUSECisco's default DPD packet format is not the same as the Huawei router's default. Left on its default, the Huawei side isn't actually speaking the same DPD dialect as the Cisco side.

FIXOn the Huawei router, set the DPD message format to seq-hash-notify so it matches what the Cisco side expects.

[RouterA-ike-peer-RouterA] dpd type periodic
[RouterA-ike-peer-RouterA] dpd msg seq-hash-notify

2. Both Ends Use SHA-2 — Tunnel Builds, Traffic Doesn't Pass

SYMPTOMdisplay ike sa (or show crypto isakmp sa) shows both phase 1 and phase 2 as established, but a ping across the tunnel fails, or only part of the traffic gets through.

CAUSEWhen the Huawei router and the other vendor's device both use a SHA-2 algorithm in the IPSec security proposal, their SHA-2 encryption/decryption implementations can differ just enough that the tunnel negotiates fine but the data plane doesn't.

FIXOn the Huawei router, enable SHA-2 compatibility mode so both ends process SHA-2 the same way.

[RouterA] ipsec authentication sha2 compatible enable

3. Tunnel Source Set to a Dynamic IP Breaks on the Next Address Change

SYMPTOMThe tunnel drops with no configuration change on either side — usually right after the branch's public IP changes on a DHCP or PPPoE renewal.

CAUSEThe Tunnel interface's source was configured as a fixed IP address, but that address is dynamically assigned on the outbound interface. Once the address changes, the tunnel's configured source no longer matches reality.

FIXConfigure source as the outbound interface itself, not its current IP address, so the tunnel tracks the interface instead of a snapshot of its address.

[RouterA-Tunnel0/0/0] source gigabitethernet 1/0/0

4. IKE Version Negotiation Doesn't Go the Way You Assumed

SYMPTOMThe peer was configured expecting IKEv1 to match an older Cisco config, but negotiation behaves like IKEv2 — or the two ends fail to agree on a version at all.

CAUSEBy default, a Huawei IKE peer has both IKEv1 and IKEv2 enabled. When it initiates negotiation it uses IKEv2; when it responds, it supports both. Needing IKEv1 specifically has to be configured explicitly — it doesn't happen automatically just because the far end is older Cisco gear.

FIXDisable IKEv2 explicitly so the peer only initiates and accepts IKEv1.

[RouterA-ike-peer-RouterA] version 1
[RouterA-ike-peer-RouterA] undo version 2

5. The Command You Copied From an Old Guide Doesn't Exist Here

SYMPTOMA command from a configuration example — remote-name, local-id-type name, or a bare pre-shared-key — is rejected, or behaves differently, on the device in front of you.

CAUSEHuawei renamed several IKE peer commands across software versions. The functional behavior is the same; the keyword is not.

FIXMatch the syntax to the software version actually running before you copy a configuration line.

Older syntaxCurrent syntax (check your version)
ike peer peer-name [ v1 | v2 ]ike peer peer-name + version { 1 | 2 } (V200R008+)
remote-nameremote-id (V200R008+)
local-id-type namelocal-id-type fqdn (V200R008+)
pre-shared-key keypre-shared-key { simple | cipher } key (V200R003C00+)

Command keywords and version numbers are kept in their original form across languages for exact reference.

Related solution designs

How to Confirm It's Actually Working

“Established” in the SA table is necessary but not sufficient — check the packet counters too.

  1. On the Huawei router, run display ike sa; on the Cisco router, run show crypto isakmp sa. Both phase 1 and phase 2 security associations should show as established — Huawei marks a healthy SA RD|ST (ready, stay-alive).
  2. display ipsec sa on the Huawei router (show crypto ipsec sa on the Cisco router) confirms the same thing at the IPSec layer.
  3. From a branch host, ping a headquarters host across the tunnel, then run display ipsec statistics esp on the Huawei router. The Inpacket decap count and Outpacket encap count fields should be non-zero — that confirms traffic is actually being encrypted and decrypted, not just that the SA exists.
[RouterA] display ike sa
     Conn-ID       Peer          VPN Flag(s)          Phase
  ---------------------------------------------------------
      8        1.1.1.10        0     RD|ST         2
      6        1.1.1.10        0     RD|ST         1
  Flag Description:
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
  HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

If the tunnel won't establish at all, the first two things to check are always the same: is the underlying route to the peer's public address actually reachable, and do both ends' configurations genuinely match, parameter for parameter.

Honest Limits of This Note

Honest Limits of This Note

This note is based on one worked configuration: a Huawei router (IKEv1, main mode, pre-shared key, AES-128 / SHA-1) to a Cisco router. Vendor combinations, software versions and cipher suites multiply fast — IKEv2, aggressive mode, NAT traversal, a dynamic-IP branch, or a different peer vendor entirely (Fortinet, for instance) each shift the details. This note covers the most common combination, not all of them.

Send us your exact combination

Device models, software versions and the cipher suite you're trying to run — send it over WhatsApp and we'll help you line up the parameters on both ends.

WhatsApp an engineer →

Related Reading