HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Site to Site connection MS Azure using Comware Router based

 
SOLVED
Go to solution
HPLeersum
Occasional Advisor

Site to Site connection MS Azure using Comware Router based

Hi all,

I'm trying to connect a Comware v7 device to MS-Azure using the router based Site to Site VPN solution based on the Cisco ASR example configuration supplied by Microsoft.

The Ikev2 SA shows connectivity has been established:

 Tunnel ID   Local                       Remote                      Status
  ---------------------------------------------------------------------------
  835         213.125.252.xx/500          52.166.94.xx/500            EST

I have created the config but I get errors on the Ikev2 ST :

 No proposal chosen: 1151

When inspecting the logfiles I see three errors:

GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  Construct CERTREQ payload failed.

Some time later:

GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  match proposal failed.
GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  Failed to parse payloads about Child SA.

And then this:

GobyRouter954 IKEV2/7/FSM: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  (Tunnel ID 241): Deleting negotiation context.

As far as i can see the config is exactly the same as the one for the Cisco.

I can't find these error's in the HP documentation and I kind of stuck. Can anybody give me a qlue where I must look to solve this?

Help is much appriciated.

2 REPLIES
HPLeersum
Occasional Advisor
Solution

Re: Site to Site connection MS Azure using Comware Router based

Hi there again,

After investigating the log file very closely I saw that the Comware v7 implemetation of the Ikev2 is not complete. In these logfile I noticed the following:

*Jan 31 17:46:19:847 2018 GobyRouter954 IKE/7/EVENT: vrf = 0, local = 213.125.252.xx, remote = 52.166.94.xx/500 Begin Main mode exchange.
*Jan 31 17:46:19:848 2018 GobyRouter954 IKE/7/ERROR: vrf = 0, local = 213.125.252.xx, remote = 52.166.94.xx/500 Failed to negotiate IKE SA.
*Jan 31 17:46:19:853 2018 GobyRouter954 IPSEC/7/EVENT: Sent delete SA message to all nodes, message type is 0x16.

This is exactly where it goes wrong. Within the ipsec command in Comware it is not possible to add in a Ikev2 profile. You can only add a Ike profile and MS Azure needs a Ikev2 profile to succes the negosiations to create the SA.

So now I investigated the Policy based optie in a other thread.

If anybody has a better idea please let me know.

Highlighted
Michael Peus
Occasional Contributor

Re: Site to Site connection MS Azure using Comware Router based

Hi,

we've managed to get a (sort of) route-based connection using the following config. We're using VSR based routers (Comware7). Unfortunately there are no IPSEC Tunnel Interfaces available, so the traffic that should be encrypted needs to match an ACL From time to time the tunnel breaks and even an "reset ipsec sa" and/or "reset ikev2 sa fast" does not help, so the whole instance needs to be rebootet. But apart from this issue it's running stable in between.

BR,

Michael

------------------------------------------------------------------------------------------
ipsec transform-set ts1
 esp encryption-algorithm aes-cbc-256
 esp authentication-algorithm sha1 md5 aes-xcbc-mac
#
ipsec policy ipsec-azure 10 isakmp
 transform-set ts1
 security acl 3333
 local-address <Local-Public-IP>
 remote-address <Azure-GW-IP>
 ikev2-profile ikev2-profile-azure
 sa duration time-based 3600
#
 ipsec policy ipsec-azure local-address GigabitEthernet1/0
#
ikev2 keychain azure_keychain
 peer azure-westeurope
  address <Azure-GW-IP> 255.255.255.255
  pre-shared-key ciphertext <ciphertext>
#
ikev2 profile ikev2-profile-azure
 authentication-method local pre-share
 authentication-method remote pre-share
 keychain azure_keychain
 sa duration 28800
 dpd interval 60 on-demand
 identity local address <Local-Public-IP>
 config-exchange set send
 config-exchange set accept
 match remote identity address <Azure-GW-IP> 255.255.255.255
#
ikev2 proposal azure_prop
 encryption aes-cbc-256
 integrity sha1
 dh group2
 prf sha1 sha256 md5 aes-xcbc-mac
#
ikev2 policy ike-azure
 proposal azure_prop
 match local address <Local-Public-IP>
#

bgp <Local-AS-Numver>
 router-id <Loopback-IP>
 peer <Azure-GW-internal-IP> as-number <Remote-AS>
 peer <Azure-GW-internal-IP> ebgp-max-hop 2
 peer <Azure-GW-internal-IP> source-address <Loopback-IP>
 #
 address-family ipv4 unicast
  import-route static
  peer <Azure-GW-internal-IP> enable
#

acl advanced 3333
 description IPsec ACL
 rule 5 permit ip source <Loopback-IP> 0 destination <Azure-GW-internal-IP> 0
 rule 10 permit ip destination <your-Azure-Prefix> <your-Prefix-Wildcard>
 rule 50 deny ip
#

interface GigabitEthernet1/0
 port link-mode route
 ip address <Local-Public-IP> <Mask>
 tcp mss 1350
 ipsec apply policy ipsec-azure
 ipsec df-bit clear
#
--------------------------------------------------------------------------------------------------