HPE Community
Security e-Series
1751972 Members
4674 Online
108783 Solutions
New Discussion

SITE TO SITE VPN Cisco - HP TMS MODULE

 
RayMK
Occasional Contributor

‎05-31-2013 07:43 AM - last edited on ‎06-02-2013 09:06 PM by

‎05-31-2013 07:43 AM - last edited on ‎06-02-2013 09:06 PM by

SITE TO SITE VPN Cisco - HP TMS MODULE

Hi,

 

could any one advise what i need to do to get a succesful vpn connection establised.

 

currently i cannot  even  get ike phase 1 negotiating  properly between the remote cisco box and our HP TMS Module.

 

 

below is the configuration for the cisco and the HP TMS module.


CISCO

hostname Router

ip domain name

 

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 10000

 

crypto isakmp key mytestkey  address x.x.195.209  [TMS peer address]

crypto isakmp identity hostname

 

crypto ipsec transform-set ims-gprs esp-3des esp-md5-hmac

mode transport

 

crypto map SDM_CMAP_1 2 ipsec-isakmp

set peer x.x.195.209   [tms peer address}

set transform-set ims-gprs

match address IMS

 

interface FastEthernet0/1

 

ip address 192.168.20.2 255.255.255.0

ip inspect SDM_LOW in

ip inspect SDM_LOW out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

 

ip route 172.0.0.0 255.240.0.0 192.168.20.1

 

ip nat pool net171 192.168.20.5 192.168.20.255 netmask 255.255.255.0

ip nat inside source list 9 pool net171

 

ip nat outside source static 172.31.1.102 x.x.195.215

 

ip access-list extended IMS

remark IMS Link

remark SDM_ACL Category=4

permit ip 192.168.20.0 0.0.0.255 host 172.31.1.102 log

 

access-list 9 permit 172.0.0.0 0.15.255.255

 

access-list 106 remark ///VPN Tunnel config///

access-list 106 permit udp host x.x.195.209 host 192.168.1.10 eq non500-isakmp

access-list 106 permit udp host x.x.195.209 host 192.168.1.10 eq isakmp

access-list 106 permit esp host x.x.195.209 host 192.168.1.10

access-list 106 permit ahp host x.x.195.209 host 192.168.1.10

 

 

 

TMS MODULE Configuration

 

 

 

ipsec ikev1 AS
  type site-to-site local-gateway vlan 99 remote-gateway x.x90.244
  identities local type ip-addr x.x.195.209 remote type ip-addr x.x.90.244
  authentication exchange-mode main method preshared-key
  security-proposal dh-group group2-1024 encryption 3des auth md5 sa-lifetime 86400
  no xauth enable

 

TMS> show vpn-config

 

ipsec ikev1 ASLHoldings
  type site-to-site local-gateway vlan 99 remote-gateway x.x.90.244
  identities local type ip-addr x.x.195.209 remote type ip-addr x.x.90.244                  
  authentication exchange-mode main method preshared-key
  security-proposal dh-group group2-1024 encryption 3des auth md5 sa-lifetime 86400
  no xauth enable

 

 

 

Policy Name: RFASL00001
Status:      Enabled
Action:      Apply
Direction:   Both
Position:    1

Traffic Selector
  Protocol:       Any
  Local Address:  172.x.x.102
  Remote Address: 192.168.20.5

IPsec Proposal
  Policy Name: 3DesMd5Trans

Key Management
  Key Exchange Method:                    Auto (with IKEv1)
  IKEv1 Policy:                           AS
  PFS (Perfect Forward Secrecy) for keys: Enabled
  Diffie-Hellman (DH) Group:               Group 2 (1024)
  SA Lifetime in Seconds:                 86400
  SA Lifetime in Kilobytes:               0

IP Address Pool for IRAS: Disabled

Advanced Settings
  IP compression:                     Disabled
  Anti-Replay Window Size:            32
  Extended sequence number:           Disabled
  Re-key on sequence number overflow: Disabled
  Persistent tunnel:                  Disabled
  Fragment before IPsec:              Disabled
  Copy DSCP value from clear packet:  Disabled
  DSCP Value:                         0
  DF Bit Handling:                    Copy DF bit from clear packet.

 

 

 

the remote cisco box is up and responding to pings

 

tms> ping ping x.x.90.244

4 packets transmitted, 4 received, 0% packet loss,

 

 

the log on the firewall has the following output

 

 

2013-05-31 14:18:21 info vpn_ipsecipv4 6560 x.x.90.244 0 x.x.195.209 0 UDP  IPSEC: An unencrypted packet received for VPN policy with Apply action. dropping the packet
   date:  2013-05-31
time:  14:18:21
msg:  IPSEC: An unencrypted packet received for VPN policy with Apply action. dropping the packet
adminname:  
severity:  info
id:  vpn_ipsecipv4
src:  x.x.90.244
srcport:  0
dst:  x.x.195.209
dstport:  0
proto:  UDP
policyid:  75
subfamid:  ipsecv4accesscontrol
mtype:  ipsecv6
mid:  6560

 

 

 


date:  2013-05-31
time:  14:18:21
msg:  TMS: allow access policy matched
severity:  info
id:  fw_access_control
ruleid:  209
srczone:  EXTERNAL
src:  x.x.90.244
srcport:  4500
dstzone:  SELF
dst:  x.x.195.209
dstport:  4500
proto:  UDP
rcvd:  0
rcvdsc:  0
sent:  0
sentsc:  0
srcnatport:  0
destnatport:  0
destnatipaddr:  0.0.0.0
subfamid:  accessallow
mtype:  accesscontrol
mid:  603
srcnatipaddr:  0.0.0.0

 

 

Thanks in advance.

 

Any pointers as to what i maybe overlooking very much apprecicated.

 

 

P.S. this post has been splitted off from other thread and created new thread in Security > HP Networking - HP Forum Moderator

 

 

0 Kudos
1 REPLY 1
RayMK
Occasional Contributor

‎06-03-2013 12:23 AM

‎06-03-2013 12:23 AM

Re: SITE TO SITE VPN Cisco - HP TMS MODULE

ok, thanks

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.