https://community.hpe.com/t5/security-e-series/problem-with-ipsec-tunnel-between-cisco-and-msr930/m-p/6934687#M826 <P>Hello,</P><P>Have you managed to resolve the issue?</P><P>If so, would you please share details?</P><P>I have something kind of similar between MSR and CISCO.</P><P>I look forward to hearing from you.</P><P>Regards,</P><P>Wojtek</P> Wed, 25 Jan 2017 08:23:06 GMT VoytekG 2017-01-25T08:23:06Z https://community.hpe.com/t5/security-e-series/problem-with-ipsec-tunnel-between-cisco-and-msr930/m-p/6871123#M399 <P>Hello all,</P><P>I need some assistance with configuring VPN between Cisco ASA and HP MSR930.</P><P>The&nbsp;Cisco ASA is in control of 3rd party and I receive only limted support from thier side. They've told me that they see "qmfs errors" when trying to establish the IPSEC tunnel</P><P>This is the relevant part of the MSR configuration:</P><P>=================<BR />#<BR />&nbsp;nat address-group 1 192.168.131.1 192.168.131.1<BR />#<BR />acl number 3001<BR />&nbsp;description IPSEC<BR />&nbsp;rule 0 permit ip source 192.168.131.0 0.0.0.255 destination 192.168.100.0 0.0.0.255<BR />acl number 3003 name NAT<BR />&nbsp;description NAT<BR />&nbsp;rule 0 permit ip source 100.64.4.20 0 destination 192.168.100.0 0.0.0.255<BR />&nbsp;rule 2 deny ip<BR />#<BR />ike proposal 1<BR />&nbsp;encryption-algorithm aes-cbc 256<BR />&nbsp;dh group2<BR />&nbsp;sa duration 28800<BR />#<BR />ike peer mtel<BR />&nbsp;pre-shared-key cipher XXXXXXXXXXXXXXXXXXXX<BR />&nbsp;remote-address 172.21.32.9<BR />&nbsp;local-address 172.21.32.10<BR />#<BR />ipsec transform-set mtel<BR />&nbsp;encapsulation-mode tunnel<BR />&nbsp;transform esp<BR />&nbsp;esp authentication-algorithm sha2-256<BR />&nbsp;esp encryption-algorithm aes-cbc-256<BR />#<BR />ipsec policy mtel 1 isakmp<BR />&nbsp;connection-name bs-mtel<BR />&nbsp;security acl 3001<BR />&nbsp;pfs dh-group2<BR />&nbsp;ike-peer mtel<BR />&nbsp;transform-set mtel<BR />&nbsp;sa duration time-based 3600<BR />#<BR />interface LoopBack1<BR />&nbsp;description IPSEC IAB NW. NAT Through here.<BR />&nbsp;bandwidth 5000<BR />&nbsp;ip address 192.68.131.1 255.255.255.255<BR />#<BR />interface GigabitEthernet0/0.2766<BR />&nbsp;vlan-type dot1q vid 2766<BR />&nbsp;nat outbound 3003 address-group 1<BR />&nbsp;bandwidth 5000<BR />&nbsp;ip address 172.21.32.10 255.255.255.248<BR />&nbsp;ipsec policy mtel<BR />#<BR />&nbsp;ip route-static 192.168.100.0 255.255.255.0 GigabitEthernet0/0.2766 172.21.32.9<BR />================================</P><P>This is the debug log:</P><P>===============================</P><P><BR />*Jun 21 19:00:58:957 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp; Entering IPsec NAT bypass pross.<BR />*Jun 21 19:00:58:958 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp;ipsec nat bypass is not enable.<BR />*Jun 21 19:00:58:958 2016 MSR930-3 NAT/7/debug:<BR />(GigabitEthernet0/0.2766-out :)Pro : ICMP<BR />(&nbsp;&nbsp;&nbsp; 100.64.4.20:&nbsp;&nbsp;&nbsp; 2 - 192.168.100.150:&nbsp;&nbsp;&nbsp; 2) ------&gt;<BR />(&nbsp; 192.168.131.1:12308 - 192.168.100.150:&nbsp;&nbsp;&nbsp; 2)<BR />*Jun 21 19:00:58:959 2016 MSR930-3 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "mtel".<BR />*Jun 21 19:00:58:959 2016 MSR930-3 IPSEC/7/DBG: IPSEC_Negotiate:IPSec drop packet! Notify IKE to negotiate SA for IPsec policy: mtel-1<BR />*Jun 21 19:00:58:960 2016 MSR930-3 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:mtel.<BR />*Jun 21 19:00:58:961 2016 MSR930-3 IKE/7/DEBUG: Connection name is 172.21.32.10,172.21.32.9,500,,0,1,1<BR />*Jun 21 19:00:58:961 2016 MSR930-3 IKE/7/DEBUG: Check connection: SA for 172.21.32.10,172.21.32.9,500,,0,1,1 missing<BR />*Jun 21 19:00:58:962 2016 MSR930-3 IKE/7/DEBUG: exchange lookup :name = 172.21.32.10,172.21.32.9,500,,0,1,1 phase = 2<BR />*Jun 21 19:00:58:962 2016 MSR930-3 IKE/7/DEBUG: exchange lookup :name = 172.21.32.10,172.21.32.9,500,,0,0,0 phase = 1<BR />*Jun 21 19:00:58:962 2016 MSR930-3 IKE/7/DEBUG: exchange setup(I): 8ffb8d0<BR />*Jun 21 19:00:58:963 2016 MSR930-3 IKE/7/DEBUG: create udp resource:name = 172.21.32.10,172.21.32.9,500,,0,0,0.<BR />*Jun 21 19:00:58:963 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required SA<BR />*Jun 21 19:00:58:963 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...<BR />*Jun 21 19:00:58:964 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp; Entering IPsec NAT bypass pross.<BR />*Jun 21 19:00:58:964 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp;ipsec nat bypass is not enable.<BR />*Jun 21 19:00:58:973 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required SA<BR />*Jun 21 19:00:58:973 2016 MSR930-3 IKE/7/DEBUG: exchange state machine: unexpected payload VENDOR<BR />*Jun 21 19:00:58:973 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 1, advancing...<BR />*Jun 21 19:00:58:974 2016 MSR930-3 IKE/7/DEBUG:<BR />IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)<BR />*Jun 21 19:00:58:974 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH<BR />*Jun 21 19:00:58:974 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required NONCE<BR />*Jun 21 19:00:58:975 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 2, advancing...<BR />*Jun 21 19:00:58:975 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp; Entering IPsec NAT bypass pross.<BR />*Jun 21 19:00:58:976 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp;ipsec nat bypass is not enable.<BR />*Jun 21 19:00:58:984 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH<BR />*Jun 21 19:00:58:985 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required NONCE<BR />*Jun 21 19:00:58:985 2016 MSR930-3 IKE/7/DEBUG: exchange state machine: unexpected payload VENDOR<BR />*Jun 21 19:00:58:985 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 3, advancing...<BR />*Jun 21 19:00:58:986 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required ID<BR />*Jun 21 19:00:58:986 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required AUTH<BR />*Jun 21 19:00:58:986 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 4, advancing...<BR />*Jun 21 19:00:58:987 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp; Entering IPsec NAT bypass pross.<BR />*Jun 21 19:00:58:987 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp;ipsec nat bypass is not enable.<BR />*Jun 21 19:00:58:997 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required ID<BR />*Jun 21 19:00:58:997 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required AUTH<BR />*Jun 21 19:00:58:998 2016 MSR930-3 IKE/7/DEBUG:<BR />IKE_DPD: PF_KEY notify ipsec to update dpd recv_time.<BR />*Jun 21 19:00:58:998 2016 MSR930-3 IKE/7/DEBUG: exchange setup(I): 8ffb6b0<BR />*Jun 21 19:00:58:998 2016 MSR930-3 IPSEC/7/DBG: Create temp SA(New ESP)...<BR />*Jun 21 19:00:58:999 2016 MSR930-3 IPSEC/7/DBG: Src:172.21.32.9 Dst:172.21.32.10 SPI:1970354878(0x75713abe)<BR />*Jun 21 19:00:58:999 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required HASH<BR />*Jun 21 19:00:58:999 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required SA<BR />*Jun 21 19:00:59:000 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required NONCE<BR />*Jun 21 19:00:59:000 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...<BR />*Jun 21 19:00:59:000 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffb8d0<BR />*Jun 21 19:00:59:001 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp; Entering IPsec NAT bypass pross.<BR />*Jun 21 19:00:59:001 2016 MSR930-3 IPSEC/7/DBG:<BR />&nbsp;ipsec nat bypass is not enable.<BR />*Jun 21 19:00:59:004 2016 MSR930-3 IKE/7/DEBUG: exchange setup(R): 8ffc590<BR />*Jun 21 19:00:59:004 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required INFO<BR />*Jun 21 19:00:59:005 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffc590<BR />*Jun 21 19:00:59:005 2016 MSR930-3 IKE/7/DEBUG: exchange setup(R): 8ffb8d0<BR />*Jun 21 19:00:59:005 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required INFO<BR />*Jun 21 19:00:59:006 2016 MSR930-3 IKE/7/DEBUG:<BR />IKE_DPD: isakmp sa name : 172.21.32.10,172.21.32.9,500,,0<BR />*Jun 21 19:00:59:006 2016 MSR930-3 IKE/7/DEBUG:<BR />IKE_DPD: PF_KEY notify ipsec to update dpd recv_time.<BR />*Jun 21 19:00:59:006 2016 MSR930-3 IKE/7/DEBUG:<BR />IKE_DPD: release ike dpd structure<BR />*Jun 21 19:00:59:007 2016 MSR930-3 IPSEC/7/DBG: IPsec_SA:Deleting IPsec SA via pfkeyv2 socket.<BR />*Jun 21 19:00:59:007 2016 MSR930-3 IPSEC/7/DBG: Deleting SA...<BR />*Jun 21 19:00:59:008 2016 MSR930-3 IPSEC/7/DBG: Src:172.21.32.9 Dst:172.21.32.10 SPI:1970354878(0x75713abe)<BR />*Jun 21 19:00:59:008 2016 MSR930-3 IPSEC/7/DBG: Done.<BR />*Jun 21 19:00:59:008 2016 MSR930-3 IPSEC/7/DBG: Putting TDB 90498d0 into trash.<BR />*Jun 21 19:00:59:009 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffb6b0<BR />*Jun 21 19:00:59:009 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffb8d0<BR />*Jun 21 19:00:59:828 2016 MSR930-3 IPSEC/7/DBG: Deleting Trash TDB 90498d0</P><P>===============================</P><P>Hope someone can provide assistance.</P><P>Thanks</P><P>&nbsp;</P> Tue, 21 Jun 2016 19:21:20 GMT https://community.hpe.com/t5/security-e-series/problem-with-ipsec-tunnel-between-cisco-and-msr930/m-p/6871123#M399 Nikolay_Petrov 2016-06-21T19:21:20Z https://community.hpe.com/t5/security-e-series/problem-with-ipsec-tunnel-between-cisco-and-msr930/m-p/6934687#M826 <P>Hello,</P><P>Have you managed to resolve the issue?</P><P>If so, would you please share details?</P><P>I have something kind of similar between MSR and CISCO.</P><P>I look forward to hearing from you.</P><P>Regards,</P><P>Wojtek</P> Wed, 25 Jan 2017 08:23:06 GMT https://community.hpe.com/t5/security-e-series/problem-with-ipsec-tunnel-between-cisco-and-msr930/m-p/6934687#M826 VoytekG 2017-01-25T08:23:06Z