HPE Community
Security e-Series
1753682 Members
5484 Online
108799 Solutions
New Discussion

Re: IPSEC problem with MSR2003 router

 
SOLVED
Go to solution
Dobrin
Occasional Visitor

‎09-29-2016 11:34 AM - edited ‎09-29-2016 11:39 AM

‎09-29-2016 11:34 AM - edited ‎09-29-2016 11:39 AM

IPSEC problem with MSR2003 router

Hello,

I have bought an HP MSR 2003 router and I am trying to configure IPSec tunnel between it and a Pfsense firewall.

I have created all the necessary rules and so on, but on the ESP encryption options there is only DES as an encryption algorithm. Is there any way to enable 3DES or AES?

The phase 1 connection is made without problems, but the phase 2 fails.

Here is my configuration:

interface GigabitEthernet0/1
 port link-mode route
 description WAN
 ip address XX.XX.XX.XX 255.255.255.0
 default-nexthop ip XX.XX.XX.XX
 nat outbound 2002
 undo dhcp select server
 ipsec apply policy policy1
#
ipsec transform-set ts1
 esp encryption-algorithm des-cbc
 esp authentication-algorithm sha1
#
ipsec policy policy1 10 isakmp
 transform-set ts1
 security acl 3000
 local-address XX.XX.XX.XX
 remote-address XX.XX.XX.XX
 ike-profile 1
#
 ipsec policy 1 local-address GigabitEthernet0/1
#
ike profile 1
 keychain keychain_galaxy
 local-identity address XX.XX.XX.XX
 match remote identity address XX.XX.XX.XX 255.255.255.0
 proposal 1
#
ike proposal 1
 encryption-algorithm aes-cbc-128
 dh group2

 

0 Kudos
1 REPLY 1
Ian Vaughan
Honored Contributor

‎10-03-2016 03:09 PM - last edited on ‎04-04-2017 05:17 AM by

‎10-03-2016 03:09 PM - last edited on ‎04-04-2017 05:17 AM by

Solution

Re: IPSEC problem with MSR2003 router

Hello,

You probably need to enable the "high encryption" license to be able to use AES etc on a new Comware v7 router

Have a look at this blog where a kind fellow has outlined the procedure.

Thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.