- Community Home
- >
- Networking
- >
- Security e-Series
- >
- Re: SITE TO SITE VPN Cisco - HP TMS MODULE
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2013 07:43 AM - last edited on 06-02-2013 09:06 PM by Maiko-I
05-31-2013 07:43 AM - last edited on 06-02-2013 09:06 PM by Maiko-I
SITE TO SITE VPN Cisco - HP TMS MODULE
Hi,
could any one advise what i need to do to get a succesful vpn connection establised.
currently i cannot even get ike phase 1 negotiating properly between the remote cisco box and our HP TMS Module.
below is the configuration for the cisco and the HP TMS module.
CISCO
hostname Router
ip domain name
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 10000
crypto isakmp key mytestkey address x.x.195.209 [TMS peer address]
crypto isakmp identity hostname
crypto ipsec transform-set ims-gprs esp-3des esp-md5-hmac
mode transport
crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer x.x.195.209 [tms peer address}
set transform-set ims-gprs
match address IMS
interface FastEthernet0/1
ip address 192.168.20.2 255.255.255.0
ip inspect SDM_LOW in
ip inspect SDM_LOW out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 172.0.0.0 255.240.0.0 192.168.20.1
ip nat pool net171 192.168.20.5 192.168.20.255 netmask 255.255.255.0
ip nat inside source list 9 pool net171
ip nat outside source static 172.31.1.102 x.x.195.215
ip access-list extended IMS
remark IMS Link
remark SDM_ACL Category=4
permit ip 192.168.20.0 0.0.0.255 host 172.31.1.102 log
access-list 9 permit 172.0.0.0 0.15.255.255
access-list 106 remark ///VPN Tunnel config///
access-list 106 permit udp host x.x.195.209 host 192.168.1.10 eq non500-isakmp
access-list 106 permit udp host x.x.195.209 host 192.168.1.10 eq isakmp
access-list 106 permit esp host x.x.195.209 host 192.168.1.10
access-list 106 permit ahp host x.x.195.209 host 192.168.1.10
TMS MODULE Configuration
ipsec ikev1 AS
type site-to-site local-gateway vlan 99 remote-gateway x.x90.244
identities local type ip-addr x.x.195.209 remote type ip-addr x.x.90.244
authentication exchange-mode main method preshared-key
security-proposal dh-group group2-1024 encryption 3des auth md5 sa-lifetime 86400
no xauth enable
TMS> show vpn-config
ipsec ikev1 ASLHoldings
type site-to-site local-gateway vlan 99 remote-gateway x.x.90.244
identities local type ip-addr x.x.195.209 remote type ip-addr x.x.90.244
authentication exchange-mode main method preshared-key
security-proposal dh-group group2-1024 encryption 3des auth md5 sa-lifetime 86400
no xauth enable
Policy Name: RFASL00001
Status: Enabled
Action: Apply
Direction: Both
Position: 1
Traffic Selector
Protocol: Any
Local Address: 172.x.x.102
Remote Address: 192.168.20.5
IPsec Proposal
Policy Name: 3DesMd5Trans
Key Management
Key Exchange Method: Auto (with IKEv1)
IKEv1 Policy: AS
PFS (Perfect Forward Secrecy) for keys: Enabled
Diffie-Hellman (DH) Group: Group 2 (1024)
SA Lifetime in Seconds: 86400
SA Lifetime in Kilobytes: 0
IP Address Pool for IRAS: Disabled
Advanced Settings
IP compression: Disabled
Anti-Replay Window Size: 32
Extended sequence number: Disabled
Re-key on sequence number overflow: Disabled
Persistent tunnel: Disabled
Fragment before IPsec: Disabled
Copy DSCP value from clear packet: Disabled
DSCP Value: 0
DF Bit Handling: Copy DF bit from clear packet.
the remote cisco box is up and responding to pings
tms> ping ping x.x.90.244
4 packets transmitted, 4 received, 0% packet loss,
the log on the firewall has the following output
2013-05-31 14:18:21 info vpn_ipsecipv4 6560 x.x.90.244 0 x.x.195.209 0 UDP IPSEC: An unencrypted packet received for VPN policy with Apply action. dropping the packet
date: 2013-05-31
time: 14:18:21
msg: IPSEC: An unencrypted packet received for VPN policy with Apply action. dropping the packet
adminname:
severity: info
id: vpn_ipsecipv4
src: x.x.90.244
srcport: 0
dst: x.x.195.209
dstport: 0
proto: UDP
policyid: 75
subfamid: ipsecv4accesscontrol
mtype: ipsecv6
mid: 6560
date: 2013-05-31
time: 14:18:21
msg: TMS: allow access policy matched
severity: info
id: fw_access_control
ruleid: 209
srczone: EXTERNAL
src: x.x.90.244
srcport: 4500
dstzone: SELF
dst: x.x.195.209
dstport: 4500
proto: UDP
rcvd: 0
rcvdsc: 0
sent: 0
sentsc: 0
srcnatport: 0
destnatport: 0
destnatipaddr: 0.0.0.0
subfamid: accessallow
mtype: accesscontrol
mid: 603
srcnatipaddr: 0.0.0.0
Thanks in advance.
Any pointers as to what i maybe overlooking very much apprecicated.
P.S. this post has been splitted off from other thread and created new thread in Security > HP Networking - HP Forum Moderator
- Tags:
- vpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2013 12:23 AM
06-03-2013 12:23 AM
Re: SITE TO SITE VPN Cisco - HP TMS MODULE
ok, thanks