Re: IPsec site-to-site VPN MSR 900

Akos Hegedus · ‎01-04-2012

I recently updated the router firmware to the latest version (V5.20R2207P38).

The previous version had a command at the interface level which allowed to "ipsec no-nat-process enable". The current firmware doesn't have this command and I cannot get a working configuration.

If I enable nat outbound at the interface level, no packets are going into the IPsec channel, if I disable it the IPsec channel works well but the clients cannot access the internet.

The original configration was:

#
version 5.20, Release 2104P02
#
sysname xxxxxx
#
super password level 3 cipher zzzzzzzzzzzzzzzzzzzzzzz
#
domain default enable system
#
dns proxy enable
#
dar p2p signature-file flash:/p2p_default.mtd
#
port-security enable
#
acl number 3140
rule 0 permit ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 permit ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
ike peer mlsz_center
pre-shared-key cipher cccccccccccccccccccccccccccccccccc
remote-address X.X.X.X
#
ipsec proposal mlsz_globall
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy mlszs2s 1 isakmp
connection-name mlsz_center
security acl 3140
ike-peer mlsz_center
proposal mlsz_globall
#
dhcp server ip-pool vlan1 extended
network ip range 192.168.236.100 192.168.236.200
network mask 255.255.255.0
gateway-list 192.168.236.1
dns-list 192.168.221.5 8.8.8.8
#
user-group system
#
local-user admin
password cipher aaaaaaaaaaaaaaaaaaaaaaaa
authorization-attribute level 3
service-type telnet
#
cwmp
undo cwmp enable
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
nat outbound
ip address Y.Y.Y.Y 255.255.255.252
ipsec no-nat-process enable
ipsec policy mlszs2s
dns server Y.Y.Y.X
#
interface Ethernet0/1
port link-mode route
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.236.1 255.255.255.0
dhcp server apply ip-pool vlan1
#
interface Ethernet0/2
port link-mode bridge
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
interface Ethernet0/5
port link-mode bridge
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet0/0 Y.Y.Y.C
#
dhcp enable
#
ssh server enable
#
nms primary monitor-interface Ethernet0/0
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface tty 13
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
#
return

christosloizou · ‎03-08-2012

Did you find the answer to this ? I have the same problem

Akos Hegedus · ‎03-09-2012

Not yet. I tried to solve it with HP support, without success.

christosloizou · ‎03-09-2012

Thats bad

4x · ‎03-19-2012

...

acl number 3150
rule 0 deny ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
rule 1 deny ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

rule 2 permit ip source 192.168.236.0 0.0.0.255

#

interface Ethernet0/0
port link-mode route
nat outbound 3150
ip address Y.Y.Y.Y 255.255.255.252
ipsec policy mlszs2s
dns server Y.Y.Y.X

...

OK?

Akos Hegedus · ‎03-19-2012

I tried it but doesn't work. :-(

4x · ‎03-19-2012

...

#

ike peer mlsz_center
pre-shared-key cipher cccccccccccccccccccccccccccccccccc
remote-address X.X.X.X

nat traversal

#

...

Akos Hegedus · ‎03-21-2012

Still does not working.

By the way the VPN connection behaves the same way in both case.

christosloizou · ‎03-22-2012

I think i found the problem. Please change your acl to to permit ip any destination (your destination) and let me know

christosloizou · ‎03-22-2012

acl number

rule 0 permit ip source any destination 192.168.221.0 0.0.0.255
rule 1 permit ip source any destination 10.0.0.0 0.0.0.255

Re: IPsec site-to-site VPN MSR 900

IPsec site-to-site VPN MSR 900