- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- WAN Routing
- >
- IPsec site-to-site VPN MSR 900
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-04-2012 02:00 AM
тАО01-04-2012 02:00 AM
I recently updated the router firmware to the latest version (V5.20R2207P38).
The previous version had a command at the interface level which allowed to "ipsec no-nat-process enable". The current firmware doesn't have this command and I cannot get a working configuration.
If I enable nat outbound at the interface level, no packets are going into the IPsec channel, if I disable it the IPsec channel works well but the clients cannot access the internet.
The original configration was:
#
version 5.20, Release 2104P02
#
sysname xxxxxx
#
super password level 3 cipher zzzzzzzzzzzzzzzzzzzzzzz
#
domain default enable system
#
dns proxy enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
acl number 3140
rule 0 permit ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 permit ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer mlsz_center
pre-shared-key cipher cccccccccccccccccccccccccccccccccc
remote-address X.X.X.X
#
ipsec proposal mlsz_globall
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy mlszs2s 1 isakmp
connection-name mlsz_center
security acl 3140
ike-peer mlsz_center
proposal mlsz_globall
#
dhcp server ip-pool vlan1 extended
network ip range 192.168.236.100 192.168.236.200
network mask 255.255.255.0
gateway-list 192.168.236.1
dns-list 192.168.221.5 8.8.8.8
#
user-group system
#
local-user admin
password cipher aaaaaaaaaaaaaaaaaaaaaaaa
authorization-attribute level 3
service-type telnet
#
cwmp
undo cwmp enable
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
nat outbound
ip address Y.Y.Y.Y 255.255.255.252
ipsec no-nat-process enable
ipsec policy mlszs2s
dns server Y.Y.Y.X
#
interface Ethernet0/1
port link-mode route
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.236.1 255.255.255.0
dhcp server apply ip-pool vlan1
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
interface Ethernet0/5
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet0/0 Y.Y.Y.C
#
dhcp enable
#
ssh server enable
#
nms primary monitor-interface Ethernet0/0
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface tty 13
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
#
return
Solved! Go to Solution.
- Tags:
- vpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2012 09:43 AM
тАО03-08-2012 09:43 AM
Re: IPsec site-to-site VPN MSR 900
Did you find the answer to this ? I have the same problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-09-2012 12:24 AM
тАО03-09-2012 12:24 AM
Re: IPsec site-to-site VPN MSR 900
Not yet. I tried to solve it with HP support, without success.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-09-2012 02:47 AM
тАО03-09-2012 02:47 AM
Re: IPsec site-to-site VPN MSR 900
Thats bad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-19-2012 12:27 AM
тАО03-19-2012 12:27 AM
Re: IPsec site-to-site VPN MSR 900
...
acl number 3150
rule 0 deny ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 deny ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
rule 2 permit ip source 192.168.236.0 0.0.0.255
#
interface Ethernet0/0
port link-mode route
nat outbound 3150
ip address Y.Y.Y.Y 255.255.255.252
ipsec policy mlszs2s
dns server Y.Y.Y.X
...
OK?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-19-2012 02:20 AM
тАО03-19-2012 02:20 AM
Re: IPsec site-to-site VPN MSR 900
I tried it but doesn't work. :-(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-19-2012 08:26 PM
тАО03-19-2012 08:26 PM
Re: IPsec site-to-site VPN MSR 900
...
#
ike peer mlsz_center
pre-shared-key cipher cccccccccccccccccccccccccccccccccc
remote-address X.X.X.X
nat traversal
#
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-21-2012 07:59 AM
тАО03-21-2012 07:59 AM
Re: IPsec site-to-site VPN MSR 900
By the way the VPN connection behaves the same way in both case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2012 12:24 AM
тАО03-22-2012 12:24 AM
Re: IPsec site-to-site VPN MSR 900
I think i found the problem. Please change your acl to to permit ip any destination (your destination) and let me know
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2012 12:27 AM
тАО03-22-2012 12:27 AM
Re: IPsec site-to-site VPN MSR 900
acl number
rule 0 permit ip source any destination 192.168.221.0 0.0.0.255
rule 1 permit ip source any destination 10.0.0.0 0.0.0.255