- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Site to Site connection MS Azure using Comware...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-29-2018 11:04 PM
тАО01-29-2018 11:04 PM
Hi all,
I'm trying to connect a Comware v7 device to MS-Azure using the router based Site to Site VPN solution based on the Cisco ASR example configuration supplied by Microsoft.
The Ikev2 SA shows connectivity has been established:
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
835 213.125.252.xx/500 52.166.94.xx/500 EST
I have created the config but I get errors on the Ikev2 ST :
No proposal chosen: 1151
When inspecting the logfiles I see three errors:
GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500 Construct CERTREQ payload failed.
Some time later:
GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500 match proposal failed.
GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500 Failed to parse payloads about Child SA.
And then this:
GobyRouter954 IKEV2/7/FSM: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500 (Tunnel ID 241): Deleting negotiation context.
As far as i can see the config is exactly the same as the one for the Cisco.
I can't find these error's in the HP documentation and I kind of stuck. Can anybody give me a qlue where I must look to solve this?
Help is much appriciated.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-01-2018 01:15 PM
тАО02-01-2018 01:15 PM
SolutionHi there again,
After investigating the log file very closely I saw that the Comware v7 implemetation of the Ikev2 is not complete. In these logfile I noticed the following:
*Jan 31 17:46:19:847 2018 GobyRouter954 IKE/7/EVENT: vrf = 0, local = 213.125.252.xx, remote = 52.166.94.xx/500 Begin Main mode exchange.
*Jan 31 17:46:19:848 2018 GobyRouter954 IKE/7/ERROR: vrf = 0, local = 213.125.252.xx, remote = 52.166.94.xx/500 Failed to negotiate IKE SA.
*Jan 31 17:46:19:853 2018 GobyRouter954 IPSEC/7/EVENT: Sent delete SA message to all nodes, message type is 0x16.
This is exactly where it goes wrong. Within the ipsec command in Comware it is not possible to add in a Ikev2 profile. You can only add a Ike profile and MS Azure needs a Ikev2 profile to succes the negosiations to create the SA.
So now I investigated the Policy based optie in a other thread.
If anybody has a better idea please let me know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-10-2018 01:04 AM
тАО04-10-2018 01:04 AM
Re: Site to Site connection MS Azure using Comware Router based
Hi,
we've managed to get a (sort of) route-based connection using the following config. We're using VSR based routers (Comware7). Unfortunately there are no IPSEC Tunnel Interfaces available, so the traffic that should be encrypted needs to match an ACL From time to time the tunnel breaks and even an "reset ipsec sa" and/or "reset ikev2 sa fast" does not help, so the whole instance needs to be rebootet. But apart from this issue it's running stable in between.
BR,
Michael
------------------------------------------------------------------------------------------
ipsec transform-set ts1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1 md5 aes-xcbc-mac
#
ipsec policy ipsec-azure 10 isakmp
transform-set ts1
security acl 3333
local-address <Local-Public-IP>
remote-address <Azure-GW-IP>
ikev2-profile ikev2-profile-azure
sa duration time-based 3600
#
ipsec policy ipsec-azure local-address GigabitEthernet1/0
#
ikev2 keychain azure_keychain
peer azure-westeurope
address <Azure-GW-IP> 255.255.255.255
pre-shared-key ciphertext <ciphertext>
#
ikev2 profile ikev2-profile-azure
authentication-method local pre-share
authentication-method remote pre-share
keychain azure_keychain
sa duration 28800
dpd interval 60 on-demand
identity local address <Local-Public-IP>
config-exchange set send
config-exchange set accept
match remote identity address <Azure-GW-IP> 255.255.255.255
#
ikev2 proposal azure_prop
encryption aes-cbc-256
integrity sha1
dh group2
prf sha1 sha256 md5 aes-xcbc-mac
#
ikev2 policy ike-azure
proposal azure_prop
match local address <Local-Public-IP>
#
bgp <Local-AS-Numver>
router-id <Loopback-IP>
peer <Azure-GW-internal-IP> as-number <Remote-AS>
peer <Azure-GW-internal-IP> ebgp-max-hop 2
peer <Azure-GW-internal-IP> source-address <Loopback-IP>
#
address-family ipv4 unicast
import-route static
peer <Azure-GW-internal-IP> enable
#
acl advanced 3333
description IPsec ACL
rule 5 permit ip source <Loopback-IP> 0 destination <Azure-GW-internal-IP> 0
rule 10 permit ip destination <your-Azure-Prefix> <your-Prefix-Wildcard>
rule 50 deny ip
#
interface GigabitEthernet1/0
port link-mode route
ip address <Local-Public-IP> <Mask>
tcp mss 1350
ipsec apply policy ipsec-azure
ipsec df-bit clear
#
--------------------------------------------------------------------------------------------------