HPE Community
Security e-Series
1752589 Members
4538 Online
108788 Solutions
New Discussion

Re: Problem with IPSEC tunnel between Cisco and MSR930

 
Nikolay_Petrov
Collector

‎06-21-2016 12:21 PM

‎06-21-2016 12:21 PM

Problem with IPSEC tunnel between Cisco and MSR930

Hello all,

I need some assistance with configuring VPN between Cisco ASA and HP MSR930.

The Cisco ASA is in control of 3rd party and I receive only limted support from thier side. They've told me that they see "qmfs errors" when trying to establish the IPSEC tunnel

This is the relevant part of the MSR configuration:

=================
#
 nat address-group 1 192.168.131.1 192.168.131.1
#
acl number 3001
 description IPSEC
 rule 0 permit ip source 192.168.131.0 0.0.0.255 destination 192.168.100.0 0.0.0.255
acl number 3003 name NAT
 description NAT
 rule 0 permit ip source 100.64.4.20 0 destination 192.168.100.0 0.0.0.255
 rule 2 deny ip
#
ike proposal 1
 encryption-algorithm aes-cbc 256
 dh group2
 sa duration 28800
#
ike peer mtel
 pre-shared-key cipher XXXXXXXXXXXXXXXXXXXX
 remote-address 172.21.32.9
 local-address 172.21.32.10
#
ipsec transform-set mtel
 encapsulation-mode tunnel
 transform esp
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-cbc-256
#
ipsec policy mtel 1 isakmp
 connection-name bs-mtel
 security acl 3001
 pfs dh-group2
 ike-peer mtel
 transform-set mtel
 sa duration time-based 3600
#
interface LoopBack1
 description IPSEC IAB NW. NAT Through here.
 bandwidth 5000
 ip address 192.68.131.1 255.255.255.255
#
interface GigabitEthernet0/0.2766
 vlan-type dot1q vid 2766
 nat outbound 3003 address-group 1
 bandwidth 5000
 ip address 172.21.32.10 255.255.255.248
 ipsec policy mtel
#
 ip route-static 192.168.100.0 255.255.255.0 GigabitEthernet0/0.2766 172.21.32.9
================================

This is the debug log:

===============================


*Jun 21 19:00:58:957 2016 MSR930-3 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Jun 21 19:00:58:958 2016 MSR930-3 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Jun 21 19:00:58:958 2016 MSR930-3 NAT/7/debug:
(GigabitEthernet0/0.2766-out :)Pro : ICMP
(    100.64.4.20:    2 - 192.168.100.150:    2) ------>
(  192.168.131.1:12308 - 192.168.100.150:    2)
*Jun 21 19:00:58:959 2016 MSR930-3 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "mtel".
*Jun 21 19:00:58:959 2016 MSR930-3 IPSEC/7/DBG: IPSEC_Negotiate:IPSec drop packet! Notify IKE to negotiate SA for IPsec policy: mtel-1
*Jun 21 19:00:58:960 2016 MSR930-3 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:mtel.
*Jun 21 19:00:58:961 2016 MSR930-3 IKE/7/DEBUG: Connection name is 172.21.32.10,172.21.32.9,500,,0,1,1
*Jun 21 19:00:58:961 2016 MSR930-3 IKE/7/DEBUG: Check connection: SA for 172.21.32.10,172.21.32.9,500,,0,1,1 missing
*Jun 21 19:00:58:962 2016 MSR930-3 IKE/7/DEBUG: exchange lookup :name = 172.21.32.10,172.21.32.9,500,,0,1,1 phase = 2
*Jun 21 19:00:58:962 2016 MSR930-3 IKE/7/DEBUG: exchange lookup :name = 172.21.32.10,172.21.32.9,500,,0,0,0 phase = 1
*Jun 21 19:00:58:962 2016 MSR930-3 IKE/7/DEBUG: exchange setup(I): 8ffb8d0
*Jun 21 19:00:58:963 2016 MSR930-3 IKE/7/DEBUG: create udp resource:name = 172.21.32.10,172.21.32.9,500,,0,0,0.
*Jun 21 19:00:58:963 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required SA
*Jun 21 19:00:58:963 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Jun 21 19:00:58:964 2016 MSR930-3 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Jun 21 19:00:58:964 2016 MSR930-3 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Jun 21 19:00:58:973 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required SA
*Jun 21 19:00:58:973 2016 MSR930-3 IKE/7/DEBUG: exchange state machine: unexpected payload VENDOR
*Jun 21 19:00:58:973 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 1, advancing...
*Jun 21 19:00:58:974 2016 MSR930-3 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Jun 21 19:00:58:974 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Jun 21 19:00:58:974 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required NONCE
*Jun 21 19:00:58:975 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 2, advancing...
*Jun 21 19:00:58:975 2016 MSR930-3 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Jun 21 19:00:58:976 2016 MSR930-3 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Jun 21 19:00:58:984 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Jun 21 19:00:58:985 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required NONCE
*Jun 21 19:00:58:985 2016 MSR930-3 IKE/7/DEBUG: exchange state machine: unexpected payload VENDOR
*Jun 21 19:00:58:985 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 3, advancing...
*Jun 21 19:00:58:986 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required ID
*Jun 21 19:00:58:986 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required AUTH
*Jun 21 19:00:58:986 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 4, advancing...
*Jun 21 19:00:58:987 2016 MSR930-3 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Jun 21 19:00:58:987 2016 MSR930-3 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Jun 21 19:00:58:997 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required ID
*Jun 21 19:00:58:997 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required AUTH
*Jun 21 19:00:58:998 2016 MSR930-3 IKE/7/DEBUG:
IKE_DPD: PF_KEY notify ipsec to update dpd recv_time.
*Jun 21 19:00:58:998 2016 MSR930-3 IKE/7/DEBUG: exchange setup(I): 8ffb6b0
*Jun 21 19:00:58:998 2016 MSR930-3 IPSEC/7/DBG: Create temp SA(New ESP)...
*Jun 21 19:00:58:999 2016 MSR930-3 IPSEC/7/DBG: Src:172.21.32.9 Dst:172.21.32.10 SPI:1970354878(0x75713abe)
*Jun 21 19:00:58:999 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required HASH
*Jun 21 19:00:58:999 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required SA
*Jun 21 19:00:59:000 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required NONCE
*Jun 21 19:00:59:000 2016 MSR930-3 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Jun 21 19:00:59:000 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffb8d0
*Jun 21 19:00:59:001 2016 MSR930-3 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Jun 21 19:00:59:001 2016 MSR930-3 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Jun 21 19:00:59:004 2016 MSR930-3 IKE/7/DEBUG: exchange setup(R): 8ffc590
*Jun 21 19:00:59:004 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required INFO
*Jun 21 19:00:59:005 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffc590
*Jun 21 19:00:59:005 2016 MSR930-3 IKE/7/DEBUG: exchange setup(R): 8ffb8d0
*Jun 21 19:00:59:005 2016 MSR930-3 IKE/7/DEBUG: exchange check: checking for required INFO
*Jun 21 19:00:59:006 2016 MSR930-3 IKE/7/DEBUG:
IKE_DPD: isakmp sa name : 172.21.32.10,172.21.32.9,500,,0
*Jun 21 19:00:59:006 2016 MSR930-3 IKE/7/DEBUG:
IKE_DPD: PF_KEY notify ipsec to update dpd recv_time.
*Jun 21 19:00:59:006 2016 MSR930-3 IKE/7/DEBUG:
IKE_DPD: release ike dpd structure
*Jun 21 19:00:59:007 2016 MSR930-3 IPSEC/7/DBG: IPsec_SA:Deleting IPsec SA via pfkeyv2 socket.
*Jun 21 19:00:59:007 2016 MSR930-3 IPSEC/7/DBG: Deleting SA...
*Jun 21 19:00:59:008 2016 MSR930-3 IPSEC/7/DBG: Src:172.21.32.9 Dst:172.21.32.10 SPI:1970354878(0x75713abe)
*Jun 21 19:00:59:008 2016 MSR930-3 IPSEC/7/DBG: Done.
*Jun 21 19:00:59:008 2016 MSR930-3 IPSEC/7/DBG: Putting TDB 90498d0 into trash.
*Jun 21 19:00:59:009 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffb6b0
*Jun 21 19:00:59:009 2016 MSR930-3 IKE/7/DEBUG: exchange release: freeing exchange 8ffb8d0
*Jun 21 19:00:59:828 2016 MSR930-3 IPSEC/7/DBG: Deleting Trash TDB 90498d0

===============================

Hope someone can provide assistance.

Thanks

 

1 person had this problem.
0 Kudos
1 REPLY 1
VoytekG
New Member

‎01-25-2017 12:23 AM

‎01-25-2017 12:23 AM

Re: Problem with IPSEC tunnel between Cisco and MSR930

Hello,

Have you managed to resolve the issue?

If so, would you please share details?

I have something kind of similar between MSR and CISCO.

I look forward to hearing from you.

Regards,

Wojtek

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.