HPE Community
WAN Routing
1751954 Members
4779 Online
108783 Solutions
New Discussion юеВ

Re: IPsec site-to-site VPN MSR 900

 
SOLVED
Go to solution
Akos Hegedus
Valued Contributor

тАО01-04-2012 02:00 AM

тАО01-04-2012 02:00 AM

IPsec site-to-site VPN MSR 900

I recently updated the router firmware to the latest version (V5.20R2207P38).

The previous version had a command at the interface level which allowed to "ipsec no-nat-process enable". The current firmware doesn't have this command and I cannot get a working configuration.

If I enable nat outbound at the interface level, no packets are going into the IPsec channel, if I disable it the IPsec channel works well but the clients cannot access the internet.

 

The original configration was:

 

#
version 5.20, Release 2104P02
#
sysname xxxxxx
#
super password level 3 cipher zzzzzzzzzzzzzzzzzzzzzzz
#
domain default enable system
#
dns proxy enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
acl number 3140
rule 0 permit ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 permit ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer mlsz_center
pre-shared-key cipher cccccccccccccccccccccccccccccccccc
remote-address X.X.X.X
#
ipsec proposal mlsz_globall
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy mlszs2s 1 isakmp
connection-name mlsz_center
security acl 3140
ike-peer mlsz_center
proposal mlsz_globall
#
dhcp server ip-pool vlan1 extended
network ip range 192.168.236.100 192.168.236.200
network mask 255.255.255.0
gateway-list 192.168.236.1
dns-list 192.168.221.5 8.8.8.8
#
user-group system
#
local-user admin
password cipher aaaaaaaaaaaaaaaaaaaaaaaa
authorization-attribute level 3
service-type telnet
#
cwmp
undo cwmp enable
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
nat outbound
ip address Y.Y.Y.Y 255.255.255.252
ipsec no-nat-process enable
ipsec policy mlszs2s
dns server Y.Y.Y.X
#
interface Ethernet0/1
port link-mode route
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.236.1 255.255.255.0
dhcp server apply ip-pool vlan1
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
interface Ethernet0/5
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet0/0 Y.Y.Y.C
#
dhcp enable
#
ssh server enable
#
nms primary monitor-interface Ethernet0/0
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface tty 13
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
#
return

0 Kudos
13 REPLIES 13
christosloizou
Occasional Advisor

тАО03-08-2012 09:43 AM

тАО03-08-2012 09:43 AM

Re: IPsec site-to-site VPN MSR 900

Did you find the answer to this ? I have the same problem

0 Kudos
Akos Hegedus
Valued Contributor

тАО03-09-2012 12:24 AM

тАО03-09-2012 12:24 AM

Re: IPsec site-to-site VPN MSR 900

Not yet. I tried to solve it with HP support, without success.

0 Kudos
christosloizou
Occasional Advisor

тАО03-09-2012 02:47 AM

тАО03-09-2012 02:47 AM

Re: IPsec site-to-site VPN MSR 900

Thats bad

0 Kudos
4x
Occasional Visitor

тАО03-19-2012 12:27 AM

тАО03-19-2012 12:27 AM

Re: IPsec site-to-site VPN MSR 900

...

acl number 3150
rule 0 deny ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 deny ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 2 permit ip source 192.168.236.0 0.0.0.255

#

interface Ethernet0/0
port link-mode route
nat outbound 3150
ip address Y.Y.Y.Y 255.255.255.252
ipsec policy mlszs2s
dns server Y.Y.Y.X

...

OK?

0 Kudos
Akos Hegedus
Valued Contributor

тАО03-19-2012 02:20 AM

тАО03-19-2012 02:20 AM

Re: IPsec site-to-site VPN MSR 900

I tried it but doesn't work. :-(

 

0 Kudos
4x
Occasional Visitor

тАО03-19-2012 08:26 PM

тАО03-19-2012 08:26 PM

Re: IPsec site-to-site VPN MSR 900

...

#

ike peer mlsz_center
pre-shared-key cipher cccccccccccccccccccccccccccccccccc
remote-address X.X.X.X

nat traversal

#

...

0 Kudos
Akos Hegedus
Valued Contributor

тАО03-21-2012 07:59 AM

тАО03-21-2012 07:59 AM

Re: IPsec site-to-site VPN MSR 900

Still does not working.

By the way the VPN connection behaves the same way in both case.
0 Kudos
christosloizou
Occasional Advisor

тАО03-22-2012 12:24 AM

тАО03-22-2012 12:24 AM

Re: IPsec site-to-site VPN MSR 900

I think i found the problem. Please change your acl to to permit ip any destination (your destination) and let me know

0 Kudos
christosloizou
Occasional Advisor

тАО03-22-2012 12:27 AM

тАО03-22-2012 12:27 AM

Re: IPsec site-to-site VPN MSR 900

acl number

rule 0 permit ip source any destination 192.168.221.0 0.0.0.255
rule 1 permit ip source any destination 10.0.0.0 0.0.0.255

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.