WAN Routing

IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

 
SOLVED
Go to solution
Osrr
Occasional Contributor

IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

I need some assistance on how to configure a Client-to-Site VPN on MSR954 router using Comware 7. So I could connect to my network with my pc (using some sort of VPN client)

I've only seen site-to-site examples. 

I don't really understand the whole VPN aspect or well.. how it should be done. Some explanation would be appreciated.

I have seen earlier posts about simial issue but they used comwar 5 or something older, so the commands are not the same. https://community.hpe.com/t5/WAN-Routing/IPSec-VPN-PC-to-Site-HP-A-MSR900-H3C-msr900/td-p/5377763#.XIDLVygzaUl

8 REPLIES 8
network_king
HPE Pro

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

Hello Osrr

You can use below MSR security configuration guide for ipsec configuation examples. (page 355 onwards)

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=1008605468&docLocale=en_US&docId=emr_na-c05370666&withFrame 

I am an HPE Employee

Accept or Kudo

Osrr
Occasional Contributor

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

I have gotten as far as I can attempt an VPN connection using Windows 10 built-in VPN.

When I try to connect, I instantly get the error message:

"The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer."

from the router ike and ipsec logs I get:

%Mar 19 13:23:01:660 2019 MSR Router IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 in Main mode IKE_P1_STATE_INIT state.
Reason: Unsupported DH group: 20.. Attribute GROUP_DESCRIPTION..
SA information:
Role: responder
Local IP: 10.10.10.2
Local ID type: Unknown
Local ID:
Local port: 500
Retransmissions: 0
Remote IP: 195.66.106.26
Remote ID type: Unknown
Remote ID:
Remote port: 500
Recived retransmissions: 0
Inside VPN instance:
Outside VPN instance:
Initiator Cookie: cd75a8493f78984c
Responder Cookie: da6b2c85f24f1ae9
Connection ID: 126
Tunnel ID: 4294967295
IKE profile name:

%Mar 19 13:23:01:660 2019 MSR Router IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 in Main mode IKE_P1_STATE_INIT state.
Reason: Unsupported DH group: 19.. Attribute GROUP_DESCRIPTION..
SA information:
Role: responder
Local IP: 10.10.10.2
Local ID type: Unknown
Local ID:
Local port: 500
Retransmissions: 0
Remote IP: 195.66.106.26
Remote ID type: Unknown
Remote ID:
Remote port: 500
Recived retransmissions: 0
Inside VPN instance:
Outside VPN instance:
Initiator Cookie: cd75a8493f78984c
Responder Cookie: da6b2c85f24f1ae9
Connection ID: 126
Tunnel ID: 4294967295
IKE profile name:

%Mar 19 13:23:01:661 2019 MSR Router IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 in Main mode IKE_P1_STATE_INIT state.
Reason: No acceptable transform.
SA information:
Role: responder
Local IP: 10.10.10.2
Local ID type: Unknown
Local ID:
Local port: 500
Retransmissions: 0
Remote IP: 195.66.106.26
Remote ID type: Unknown
Remote ID:
Remote port: 500
Recived retransmissions: 0
Inside VPN instance:
Outside VPN instance:
Initiator Cookie: cd75a8493f78984c
Responder Cookie: da6b2c85f24f1ae9
Connection ID: 126
Tunnel ID: 4294967295
IKE profile name:

I have tried make the Encryption Algorythm 3DES and Authentication SHA1 but that did not work. (not 100% sure I even tried to apply it correctly, under Ike proposal and under transform-set)

I did try to config IKEv2 and use the windows IKEv2 VPN but that just gives "Policy match error"

I tried to configure the IPSec and IKE via the comware cli and via the web gui

 

Paul Kurtz
HPE Pro

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

<msr> debugging ipsec all

<msr> debugging ike all

<msr> debugging tunnel all

<msr> debugging ipsec all

<msr> terminal debugging

<msr> terminal monitor

Try your VPN client,  i found that the proposal the windows 10 was requiring was not configured  on the msr router.

I am a HPE Employee
Paul Kurtz
HPE Pro

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

Also, here is my msr2003 Comware7 config that i have almost working getting 
Can't find IKE SA.


#
ipsec transform-set vpn-win-client
encapsulation-mode transport
esp encryption-algorithm aes-cbc-128 aes-cbc-256
esp authentication-algorithm sha1 sha256 sha384

#
ipsec profile vpn-win-client isakmp
transform-set vpn-win-client
ike-profile vpn-win-client

#
ipsec policy vpn-win-client 1 isakmp
transform-set vpn-win-client
remote-address 192.168.0.50
ike-profile vpn-win-client

#
ike profile vpn-win-client
keychain vpn-win-client
local-identity address 192.168.0.252
match remote identity address 192.168.0.50 255.255.255.255
match local address 192.168.0.252
proposal 2
client-authentication xauth

#
ike proposal 2
encryption-algorithm 3des-cbc
dh group14

#
ike keychain vpn-win-client
pre-shared-key address 192.168.0.50 255.255.255.255 key cipher $c$3$ohiq9EBbw/v1JiT3A52zHQd7bp7pDs+kzLKLyjA=

 

Also here is debugging 

Begin a new phase 1 negotiation as responder.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Responder created an SA for peer 192.168.0.50, local port 500, remote port 500.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Security Association Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process vendor ID payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/EVENT: Vendor ID NAT-T rfc3947 is matched.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process SA payload.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 1.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is AES-CBC.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Key length is 256 bytes.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is ECP_384.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Unsupported DH group: 20.. Attribute GROUP_DESCRIPTION.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 2.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is AES-CBC.
*Mar 19 17:26:25:101 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Key length is 128 bytes.
*Mar 19 17:26:25:101 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:101 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is ECP_256.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Unsupported DH group: 19.. Attribute GROUP_DESCRIPTION.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 3.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is AES-CBC.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Key length is 256 bytes.
*Mar 19 17:26:25:103 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:103 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is 14.
*Mar 19 17:26:25:103 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Authentication method is Pre-shared key.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Lifetime type is 1.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Life duration is 28800.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 4.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is 3DES-CBC.
*Mar 19 17:26:25:105 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:105 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is 14.
*Mar 19 17:26:25:105 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Authentication method is Pre-shared key.
*Mar 19 17:26:25:106 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Lifetime type is 1.
*Mar 19 17:26:25:106 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Life duration is 28800.
*Mar 19 17:26:25:106 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Found pre-shared key that matches address 192.168.0.50 in keychain core.
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Attributes is acceptable.
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/EVENT: Oakley transform 4 is acceptable.
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Constructed SA payload
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct NAT-T rfc3947 vendor ID payload.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct XAUTH draft6 vendor ID payload.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending packet to 192.168.0.50 remote port 500, local port 500.
*Mar 19 17:26:25:109 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 136
*Mar 19 17:26:25:109 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending an IPv4 packet.
*Mar 19 17:26:25:109 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sent data to socket successfully.
*Mar 19 17:26:25:114 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 388
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:25:116 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Key Exchange Payload.
*Mar 19 17:26:25:116 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Nonce Payload.
*Mar 19 17:26:25:116 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP NAT-D Payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP NAT-D Payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process KE payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process NONCE payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received 2 NAT-D payload.
*Mar 19 17:26:25:210 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct KE payload.
*Mar 19 17:26:25:211 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct NONCE payload.
*Mar 19 17:26:25:212 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct NAT-D payload.
*Mar 19 17:26:25:213 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct DPD vendor ID payload.
*Mar 19 17:26:25:344 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4.
*Mar 19 17:26:25:345 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending packet to 192.168.0.50 remote port 500, local port 500.
*Mar 19 17:26:25:345 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 376
*Mar 19 17:26:25:345 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending an IPv4 packet.
*Mar 19 17:26:25:346 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sent data to socket successfully.
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:25:352 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:25:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Decrypt the packet.
*Mar 19 17:26:25:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Identification Payload.
*Mar 19 17:26:25:353 2019 nkpa-r1 IKE/7/ERROR: 2th byte of the structure ISAKMP Identification Payload must be 0.
*Mar 19 17:26:25:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Failed to parse phase 1 packet. Reason INVALID_PAYLOAD_TYPE.
*Mar 19 17:26:25:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encrypt the packet.
*Mar 19 17:26:25:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct notification packet: INVALID_PAYLOAD_TYPE.
*Mar 19 17:26:25:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending packet to 192.168.0.50 remote port 500, local port 500.
*Mar 19 17:26:25:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 65bbaac7
length: 84
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending an IPv4 packet.
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sent data to socket successfully.
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Failed to negotiate IKE SA.
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Failed to negotiate IKE SA.
*Mar 19 17:26:26:351 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:26:351 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:27:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:27:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:30:352 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:30:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:30:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:30:353 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:30:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:30:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:37:352 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:52:354 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:27:07:353 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:27:07:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500

I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.

I am a HPE Employee
Osrr
Occasional Contributor

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

I currently got it working with ShrewVPN client. Not the safest but works.

Osrr
Occasional Contributor
Solution

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

If anyone ever is stuck at this problem like I was I decided to post what my IPSec and IKE configuration for this was. It is possible to configure this via the web gui also.

On the MSR954 Router using Comware 7

ipsec transform-set IPSecTEST
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
pfs dh-group2
esn enable
#
ipsec policy-template IPSecTEST 65535
transform-set IPSecTEST
ike-profile IPSecTEST
ikev2-profile IPSecTEST
sa duration time-based 3600
sa duration traffic-based 1843200
#
ipsec policy IPSecTEST 65535 isakmp template IPSecTEST
#
ike identity fqdn your.ddns.domain //i.e. I made no-ip.com account and made myself a ddns domain
#
ike profile 65535
#
ike profile IPSecTEST
keychain IPSecTEST
match remote identity address 0.0.0.0 0.0.0.0
proposal 65535
#
ike proposal 65535
encryption-algorithm 3des-cbc
#
ike keychain IPSecTEST
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Wn6LlSQ0yrT+6qGc+qPQ66HrhQ54WhrP76GfXquKN9Q==

Configuration on the Shrew VPN client

GENERAL:

Host Name or IP Address: your.ddns.domain     Port: 500

Auto Configuration: disabled

Adapter mode: Any of them worked for me, any address should be fine. MTU stays 1380

CLIENT:

Should stay default, although the "Enable Client Login Banner" is grayed out for me

NAME RESOLUTION:

Disable all (DNS/WINS) (remove the tick from the front of enable)

AUTHENTICATION:

Authentication method: Mutual PSK

Local identity   ;   Identification type: IP Address   ;   Address String: (stays empty)    ;   Use a discovered local host address: yes

Remote Identity   ;   Fully Qualified Domain Name   ;   FQDN String: your.ddns.domain

Credentials   ;   Pre Shared Key: (whatever you set as the pre shared key on IKE keychain)

PHASE 1:

Exchange Type: Aggressive

DH Exhange: group 1

Cipher Algorithm: 3des

Hash Algorithm: sha1

Key Life Time limit: 86400 secs

Key Life Data limit: Kbytes

PHASE 2:

Transform Algorithm: esp-3des

HMAC Algorithm: sha1

PFS Exhange: group 2

Compress Algorithm: disabled

Key Life Time limit: 3600

Key Life Data limit: 0

POLICY:

Policy Generation Level: require

Maintain Persistent Security Associations: NO

Obtain Topology Automatically or Tunnel All: YES

To see connection logging use these commands on the router:

ike logging negotiation enable

ipsec logging negotiation enable

Let me know if there are any problem with this method.

Thomas_N-Wright
Visitor

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

Hi,

I know this thread is a bit old, but I struggle with a client-to-msr vpn.
I would like the client to obtain an address from the MSR, and use the MSR as a default gateway for all traffic.

OR, have local breakout and only reach certain servers on a LAN behind the MSR.

As it is now, the client obtains an address, but no DNS. It is not able to reach any url´s via FQDN, only IP.

techin
Regular Advisor

Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7

@Thomas_N-Wright ,

I think you should create a new topic instead to get answers