Community
Security e-Series

IPSEC Problem between MSR2003 Router and VSR1008 Router

 
eozturk01
Occasional Collector

‎10-13-2016 11:43 AM

‎10-13-2016 11:43 AM

IPSEC Problem between MSR2003 Router and VSR1008 Router

Hello all,

 

im having trouble setting up ipsec tunnel between two routers, vsr router is working behind one to one nat and 

when i checked the ip i can reach it, so its working correctly, but its unable to establish the ipsec session

any help would be appriciated.

Regards,

Erdem

 

MSR Configuration

#
interface GigabitEthernet2/0/1
 port link-mode route
 ip address 91.93.188.206 255.255.255.248
 ospf timer hello 2
 ospf timer dead 10
 ospf network-type p2mp unicast
 ospf timer poll 2
 ospf 2 area 0.0.0.1
 ipsec apply policy msr
#
acl advanced 3000 match-order auto
 rule 0 permit ip source 172.16.101.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
 rule 1 permit ip source 172.16.102.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
#
 ipsec anti-replay window 1024
 ipsec sa global-duration traffic-based 86400
 ipsec sa idle-time 120
#
ipsec transform-set msr
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy-template msr 1
 transform-set msr 
 security acl 3000 
 remote-address 88.238.51.202
 ike-profile msr
 reverse-route dynamic
 reverse-route preference 10
 reverse-route tag 100
#
ipsec policy msr 1 isakmp template msr
#
 ike identity address 91.93.188.206
 ike nat-keepalive 5
#
ike profile msr
 keychain msr
 exchange-mode aggressive
 local-identity address 91.93.188.206
 match remote identity address 88.238.51.202 255.255.255.255
 proposal 1 
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
#
ike keychain msr
 pre-shared-key address 88.238.51.202 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#

VSR Configuration

 

#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.142.20.6 255.255.255.0
 ospf timer hello 2
 ospf timer dead 10
 ospf network-type p2mp unicast
 ospf dr-priority 2
 ospf timer poll 2
 ospf 2 area 0.0.0.1
 ipsec apply policy vsr
#
acl advanced 3000 match-order auto
 rule 0 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.101.0 0.0.0.255
 rule 1 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.102.0 0.0.0.255
#
 ipsec anti-replay window 1024
 ipsec sa global-duration traffic-based 86400
 ipsec sa idle-time 120
#
ipsec transform-set vsr
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy-template vsr 1
 transform-set vsr 
 security acl 3000 
 remote-address 91.93.188.206
 ike-profile vsr
 reverse-route dynamic
 reverse-route preference 10
 reverse-route tag 100
#
ipsec policy vsr 1 isakmp template vsr
#
 ike identity address 88.238.51.202
 ike nat-keepalive 5
#
ike profile vsr
 keychain vsr
 exchange-mode aggressive
 local-identity address 88.238.51.202
 match remote identity address 91.93.188.206 255.255.255.255
 proposal 1 
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
#
ike keychain vsr
 pre-shared-key address 91.93.188.206 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.