topic IPSEC Problem between MSR2003 Router and VSR1008 Router in Security e-Series https://community.hpe.com/t5/security-e-series/ipsec-problem-between-msr2003-router-and-vsr1008-router/m-p/6907463#M679 <P>Hello all,</P><P>&nbsp;</P><P>im having trouble setting up ipsec tunnel between two routers, vsr router is working behind one to one nat and&nbsp;</P><P>when i checked the ip i can reach it, so its working correctly, but its unable to establish the ipsec session</P><P>any help would be appriciated.</P><P>Regards,</P><P>Erdem</P><P>&nbsp;</P><P>MSR Configuration</P><PRE># interface GigabitEthernet2/0/1 port link-mode route ip address 91.93.188.206 255.255.255.248 ospf timer hello 2 ospf timer dead 10 ospf network-type p2mp unicast ospf timer poll 2 ospf 2 area 0.0.0.1 ipsec apply policy msr # acl advanced 3000 match-order auto rule 0 permit ip source 172.16.101.0 0.0.0.255 destination 10.142.20.0 0.0.0.255 rule 1 permit ip source 172.16.102.0 0.0.0.255 destination 10.142.20.0 0.0.0.255 # ipsec anti-replay window 1024 ipsec sa global-duration traffic-based 86400 ipsec sa idle-time 120 # ipsec transform-set msr esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy-template msr 1 transform-set msr security acl 3000 remote-address 88.238.51.202 ike-profile msr reverse-route dynamic reverse-route preference 10 reverse-route tag 100 # ipsec policy msr 1 isakmp template msr # ike identity address 91.93.188.206 ike nat-keepalive 5 # ike profile msr keychain msr exchange-mode aggressive local-identity address 91.93.188.206 match remote identity address 88.238.51.202 255.255.255.255 proposal 1 # ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike keychain msr pre-shared-key address 88.238.51.202 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2 # ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202 #</PRE><P>VSR Configuration</P><P>&nbsp;</P><PRE>#<BR />interface GigabitEthernet1/0<BR /> port link-mode route<BR /> ip address 10.142.20.6 255.255.255.0<BR /> ospf timer hello 2<BR /> ospf timer dead 10<BR /> ospf network-type p2mp unicast<BR /> ospf dr-priority 2<BR /> ospf timer poll 2<BR /> ospf 2 area 0.0.0.1<BR /> ipsec apply policy vsr<BR />#<BR />acl advanced 3000 match-order auto<BR /> rule 0 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.101.0 0.0.0.255<BR /> rule 1 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.102.0 0.0.0.255<BR />#<BR /> ipsec anti-replay window 1024<BR /> ipsec sa global-duration traffic-based 86400<BR /> ipsec sa idle-time 120<BR />#<BR />ipsec transform-set vsr<BR /> esp encryption-algorithm 3des-cbc <BR /> esp authentication-algorithm md5 <BR />#<BR />ipsec policy-template vsr 1<BR /> transform-set vsr <BR /> security acl 3000 <BR /> remote-address 91.93.188.206<BR /> ike-profile vsr<BR /> reverse-route dynamic<BR /> reverse-route preference 10<BR /> reverse-route tag 100<BR />#<BR />ipsec policy vsr 1 isakmp template vsr<BR />#<BR /> ike identity address 88.238.51.202<BR /> ike nat-keepalive 5<BR />#<BR />ike profile vsr<BR /> keychain vsr<BR /> exchange-mode aggressive<BR /> local-identity address 88.238.51.202<BR /> match remote identity address 91.93.188.206 255.255.255.255<BR /> proposal 1 <BR />#<BR />ike proposal 1<BR /> encryption-algorithm 3des-cbc<BR /> dh group2<BR /> authentication-algorithm md5<BR />#<BR />ike keychain vsr<BR /> pre-shared-key address 91.93.188.206 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2<BR />#<BR />ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202<BR />#</PRE><P>&nbsp;</P> Thu, 13 Oct 2016 18:43:40 GMT eozturk01 2016-10-13T18:43:40Z IPSEC Problem between MSR2003 Router and VSR1008 Router https://community.hpe.com/t5/security-e-series/ipsec-problem-between-msr2003-router-and-vsr1008-router/m-p/6907463#M679 <P>Hello all,</P><P>&nbsp;</P><P>im having trouble setting up ipsec tunnel between two routers, vsr router is working behind one to one nat and&nbsp;</P><P>when i checked the ip i can reach it, so its working correctly, but its unable to establish the ipsec session</P><P>any help would be appriciated.</P><P>Regards,</P><P>Erdem</P><P>&nbsp;</P><P>MSR Configuration</P><PRE># interface GigabitEthernet2/0/1 port link-mode route ip address 91.93.188.206 255.255.255.248 ospf timer hello 2 ospf timer dead 10 ospf network-type p2mp unicast ospf timer poll 2 ospf 2 area 0.0.0.1 ipsec apply policy msr # acl advanced 3000 match-order auto rule 0 permit ip source 172.16.101.0 0.0.0.255 destination 10.142.20.0 0.0.0.255 rule 1 permit ip source 172.16.102.0 0.0.0.255 destination 10.142.20.0 0.0.0.255 # ipsec anti-replay window 1024 ipsec sa global-duration traffic-based 86400 ipsec sa idle-time 120 # ipsec transform-set msr esp encryption-algorithm 3des-cbc esp authentication-algorithm md5 # ipsec policy-template msr 1 transform-set msr security acl 3000 remote-address 88.238.51.202 ike-profile msr reverse-route dynamic reverse-route preference 10 reverse-route tag 100 # ipsec policy msr 1 isakmp template msr # ike identity address 91.93.188.206 ike nat-keepalive 5 # ike profile msr keychain msr exchange-mode aggressive local-identity address 91.93.188.206 match remote identity address 88.238.51.202 255.255.255.255 proposal 1 # ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike keychain msr pre-shared-key address 88.238.51.202 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2 # ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202 #</PRE><P>VSR Configuration</P><P>&nbsp;</P><PRE>#<BR />interface GigabitEthernet1/0<BR /> port link-mode route<BR /> ip address 10.142.20.6 255.255.255.0<BR /> ospf timer hello 2<BR /> ospf timer dead 10<BR /> ospf network-type p2mp unicast<BR /> ospf dr-priority 2<BR /> ospf timer poll 2<BR /> ospf 2 area 0.0.0.1<BR /> ipsec apply policy vsr<BR />#<BR />acl advanced 3000 match-order auto<BR /> rule 0 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.101.0 0.0.0.255<BR /> rule 1 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.102.0 0.0.0.255<BR />#<BR /> ipsec anti-replay window 1024<BR /> ipsec sa global-duration traffic-based 86400<BR /> ipsec sa idle-time 120<BR />#<BR />ipsec transform-set vsr<BR /> esp encryption-algorithm 3des-cbc <BR /> esp authentication-algorithm md5 <BR />#<BR />ipsec policy-template vsr 1<BR /> transform-set vsr <BR /> security acl 3000 <BR /> remote-address 91.93.188.206<BR /> ike-profile vsr<BR /> reverse-route dynamic<BR /> reverse-route preference 10<BR /> reverse-route tag 100<BR />#<BR />ipsec policy vsr 1 isakmp template vsr<BR />#<BR /> ike identity address 88.238.51.202<BR /> ike nat-keepalive 5<BR />#<BR />ike profile vsr<BR /> keychain vsr<BR /> exchange-mode aggressive<BR /> local-identity address 88.238.51.202<BR /> match remote identity address 91.93.188.206 255.255.255.255<BR /> proposal 1 <BR />#<BR />ike proposal 1<BR /> encryption-algorithm 3des-cbc<BR /> dh group2<BR /> authentication-algorithm md5<BR />#<BR />ike keychain vsr<BR /> pre-shared-key address 91.93.188.206 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2<BR />#<BR />ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202<BR />#</PRE><P>&nbsp;</P> Thu, 13 Oct 2016 18:43:40 GMT https://community.hpe.com/t5/security-e-series/ipsec-problem-between-msr2003-router-and-vsr1008-router/m-p/6907463#M679 eozturk01 2016-10-13T18:43:40Z