HPE Community
Comware Based
1753477 Members
4797 Online
108794 Solutions
New Discussion юеВ

Re: configure ipsec vpn cisco881 and msr2003 not work (

 
alexkg1
Occasional Advisor

тАО08-07-2019 01:39 AM - edited тАО08-07-2019 04:22 AM

тАО08-07-2019 01:39 AM - edited тАО08-07-2019 04:22 AM

configure ipsec vpn cisco881 and msr2003 not work (

Cannot configure ipsec vpn between cisco881 and msr2003
I ask for help

Phase 1 works, and then no:

cisco800#sh crypto isakmp sa 
IPv4 Crypto ISAKMP SA 
dst             src             state          conn-id status 
213.213.213.213 212.212.212.212   QM_IDLE           2001 ACTIVE 

shema:
host192.168.5.111 <--> 192.168.5.1(cisco881)212.212.212.212 <--> 213.213.213.213(msr2003)192.168.0.1 <--> host 192.168.0.28

map:

Phase 1

Authentication Method PSK
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm AES256
Hashing Algorithm sha1
Main or Aggressive Mode Main Mode
Lifetime (for renegotiation) 3600 sec
Phase 2
Encapsulation (ESP or AH) ESP
Encryption Algorithm AES256
Authentication Algorithm sha1
Perfect Forward Secrecy YES
Lifetime (for renegotiation) 86400 sec
Lifesize in KB (for renegotiation) 0
VPN type Site-to-site
Encryption domain 192.168.5.111/32 (local)
Encryption domain 192.168.0.28/32 (remote) </PRE>

config cisco 881

Spoiler

!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key QWasZX12 address 213.213.213.213
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map map1 10 ipsec-isakmp
set peer 213.213.213.213
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet4
ip address 212.212.212.212 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map map1
!
interface Vlan1
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.112.104.5
ip route 192.168.0.28 255.255.255.255 213.213.213.213
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended VPN-TRAFFIC
permit ip host 192.168.5.111 host 192.168.0.28
!
access-list 100 deny ip host 192.168.5.111 host 192.168.0.28
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
!

 

config MSR2003

Spoiler
#
interface GigabitEthernet0/0
port link-mode route
ip address 213.213.213.213 255.255.255.252
nat outbound 3000 address-group 1
ipsec apply policy msr
#
ip route-static 192.168.5.111 32 212.212.212.212
#
acl advanced 3000
rule 0 deny ip source 192.168.0.28 0 destination 192.168.5.111 0
rule 2 permit ip source 192.168.1.0 0.0.0.63
#
acl advanced 3001
rule 0 permit ip source 192.168.0.28 0 destination 192.168.5.111 0
#
ipsec anti-replay window 1024
ipsec sa global-duration traffic-based 86400
ipsec sa idle-time 120
#
ipsec transform-set msr
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy-template msr 1
transform-set msr
security acl 3001
remote-address 212.212.212.212
ike-profile msr
reverse-route dynamic
reverse-route preference 10
reverse-route tag 100
#
ipsec policy msr 1 isakmp template msr
#
ike identity address 213.213.213.213
ike nat-keepalive 5
#
ike profile msr
keychain msr
exchange-mode aggressive
local-identity address 213.213.213.213
match remote identity address 212.212.212.212 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
#
ike keychain msr
pre-shared-key address 212.212.212.212 255.255.255.255 key simple QWasZX12

 

0 Kudos
6 REPLIES 6
alexkg1
Occasional Advisor

тАО08-07-2019 10:48 PM

тАО08-07-2019 10:48 PM

Re: configure ipsec vpn cisco881 and msr2003 not work (

please give a link to ipsec Troubleshooting Guide 

 

0 Kudos
VoIP-Buddy
HPE Pro

тАО08-12-2019 02:27 PM

тАО08-12-2019 02:27 PM

Re: configure ipsec vpn cisco881 and msr2003 not work (

Alex,

Is QWasZX12 really your pre-shared secret in plain text or does the Cisco encrypt it like we do on Comware?  If so, you need to know the plaintext secret and put that into the configuration on the MSR.  It will then be encrypted in the config file to preserve its secrecy.

I'll look tomorrow for the troubleshooting guide for you.  What version of code are you running on the MSR?  Can you post the display version output?  Thanks!

Regards,

David

I work for HPE in Aruba Technical Support
0 Kudos
alexkg1
Occasional Advisor

тАО08-13-2019 03:46 AM - edited тАО08-13-2019 05:20 AM

тАО08-13-2019 03:46 AM - edited тАО08-13-2019 05:20 AM

Re: configure ipsec vpn cisco881 and msr2003 not work (

<msr2003>display version

Spoiler

HP Comware Software, Version 7.1.059, Release 0304P15
Copyright (c) 2010-2015 Hewlett-Packard Development Company, L.P.
HP MSR2003 uptime is 0 weeks, 6 days, 14 hours, 15 minutes
Last reboot reason : User reboot
Boot image: flash:/msr2000-cmw710-boot-r0304p15.bin
Boot image version: 7.1.059P08, Release 0304P15
Compiled Nov 14 2015 13:41:09
System image: flash:/msr2000-cmw710-system-r0304p15.bin
System image version: 7.1.059, Release 0304P15
Compiled Nov 14 2015 13:41:09
Feature image(s) list:
flash:/msr2000-cmw710-security-r0304p15.bin, version: 7.1.059
Compiled Nov 14 2015 13:41:09
flash:/msr2000-cmw710-voice-r0304p15.bin, version: 7.1.059
Compiled Nov 14 2015 13:41:09
flash:/msr2000-cmw710-data-r0304p15.bin, version: 7.1.059
Compiled Nov 14 2015 13:41:09

CPU ID: 0x1
1G bytes DDR3 SDRAM Memory
2M bytes Flash Memory
PCB Version: 3.0
CPLD Version: 2.0
Basic BootWare Version: 1.44
Extended BootWare Version: 1.44
[SLOT 0]AUX (Hardware)3.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/0 (Hardware)3.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/1 (Hardware)3.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]CELLULAR0/0 (Hardware)3.0, (Driver)1.0, (CPLD)2.0
[SLOT 2]SIC-4GSW (Hardware)2.0, (Driver)1.0, (CPLD)1.0

 

Update 13.08.2019

I configured vpn tunnel  cisco881 and msr2003.

These were test settings for CISCO.
Now I canтАЩt lift the tunnel with Cisco ASA
The opponent says that he does not see Ipsec packets from me (phase 1 does not work).
Claims that my HP MSR2003 router is not compatible with Cisco ASA Ipsec settings.
Is there an example of an IPSEC tunnel configuration between the Cisco ASA and MSR2003 (COMWARE version 7)?
Or are they really not compatible?

my config MSR2003

Spoiler
#
interface GigabitEthernet0/0
nat outbound 3000 address-group 1
nat static enable
ipsec apply policy msr
#
acl advanced 3000
rule 1 deny ip source 192.168.5.32 0 destination 10.51.5.5 0
rule 4 permit ip source 192.168.5.0 0.0.0.255
rule 100 deny ip
#
acl advanced 3001
rule 1 permit tcp source 192.168.5.32 0 destination 10.51.5.5 0 destination-port eq 443
#
ip route-static 0.0.0.0 0 213.213.213.125
#
ipsec anti-replay window 1024
ipsec sa global-duration traffic-based 86400
ipsec sa idle-time 120
#
ipsec transform-set msr
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
#
ipsec policy-template msr 1
transform-set msr
security acl 3001
remote-address 185.185.185.185
ike-profile msr
reverse-route dynamic
reverse-route preference 10
reverse-route tag 100
#
ipsec policy msr 1 isakmp template msr
#
nat address-group 2
#
ike identity address 185.185.185.185
ike nat-keepalive 5
#
ike profile msr
keychain msr
local-identity address 213.213.213.213
match remote identity address 185.185.185.185 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group2
#
ike keychain msr
pre-shared-key address 185.185.185.185 255.255.255.255 key cipher $c$3$d0O$c$3$d0oSv$c$3$d0jNBmAEBPMZU/wdWYCuP/Kf8wO9Lg==

 

0 Kudos
VoIP-Buddy
HPE Pro

тАО08-13-2019 07:29 AM

тАО08-13-2019 07:29 AM

Re: configure ipsec vpn cisco881 and msr2003 not work (

Alex,

Any chance you can upgrade the code to at least R0615P16?  If you aren't using 4G on this MSR you could go to the latest... R0707P16.  There have been HUGE changes to that code since it was built in 2015 and the notes are that it only had critical bug fixes and that R0305 was better.  But even at that, there were huge changes between then and now.

As for 4G, there is an issue with SIM status in the R0707 code that is going to be fixed shortly for SOME SIM cards.  Not all are affected.

Regards,

David

I work for HPE in Aruba Technical Support
0 Kudos
alexkg1
Occasional Advisor

тАО08-13-2019 07:55 AM

тАО08-13-2019 07:55 AM

Re: configure ipsec vpn cisco881 and msr2003 not work (

Screenshot_2.png

is this firmware? I need instructions on how to update the firmware please

 

0 Kudos
alexkg1
Occasional Advisor

тАО08-13-2019 08:35 PM - edited тАО08-15-2019 01:35 AM

тАО08-13-2019 08:35 PM - edited тАО08-15-2019 01:35 AM

Re: configure ipsec vpn cisco881 and msr2003 not work (

Flash files now

<msr2003>dir
Directory of flash:
0 -rw- 2287 Aug 07 2019 03:35:36 CN63FTY0KX.ak
1 drw- - May 24 2016 16:36:49 diagfile
2 -rw- 735 May 24 2016 19:57:50 hostkey
3 -rw- 387 Aug 13 2019 23:27:23 ifindex.dat
4 drw- - Aug 07 2019 03:46:35 license
5 drw- - Aug 13 2019 23:34:57 logfile
6 -rw- 6380544 Mar 18 2016 16:39:28 msr2000-cmw710-boot-r0304p15.bin
7 -rw- 2629632 Mar 18 2016 16:39:54 msr2000-cmw710-data-r0304p15.bin
8 -rw- 349184 Mar 18 2016 16:39:51 msr2000-cmw710-security-r0304p15.bin
9 -rw- 56171520 Mar 18 2016 16:39:51 msr2000-cmw710-system-r0304p15.bin
10 -rw- 1689600 Mar 18 2016 16:39:52 msr2000-cmw710-voice-r0304p15.bin
11 drw- - May 24 2016 16:36:49 seclog
12 -rw- 591 May 24 2016 19:57:50 serverkey
13 -rw- 12592 Aug 13 2019 23:27:23 startup.cfg
14 -rw- 72680 Aug 13 2019 23:27:24 startup.mdb

262144 KB total (189632 KB free)

This procedure is correct?

<HP>tftp 192.168.1.100 get MSR2000-CMW710-R0707P16.IPE
<HP>boot-loader file flash:/MSR2000-CMW710-R0707P16.IPE
<HP>display boot-loader
<HP>reboot
<HP> display version

Then delete the old firmware files?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.