IPSec Tunnel Configuration on HPE 5945 SW

Marlos · ‎10-30-2024

I made the following configurations between the 2 HPE 5945 switches.

However, I was unable to align phase 1 or phase 2.

Can anyone help and evaluate whether the configuration is correct?

HPE1_SPO_SW1]display ikev2 proposal
IKEv2 proposal : BICS
Encryption: AES-CBC-128
Integrity: SHA1
PRF:
DH Group: MODP1024/Group2 MODP2048/Group14

[HPE1_SPO_SW1]display ikev2 policy
IKEv2 policy: BICS
Priority: 10
Match local: Vlan-interface30
Match VRF: VRF9
Proposal: BICS

[HPE1_SPO_SW1]display ikev2 profile
IKEv2 profile: BICS
Priority: 100
Match criteria:
Remote identity ipv4 address 186.231.25.135/32
VRF VRF9
Inside-vrf:
Local identity: address 189.76.174.12
Local authentication method: pre-share
Remote authentication methods: pre-share
Keychain: BICS
SA duration: 86400
DPD:
Config-exchange:
NAT keepalive:
AAA authorization:

[HPE1_SPO_SW1]display ipsec transform-set
IPsec transform set: BICS
State: complete
Encapsulation mode: tunnel
ESN: Disabled
PFS: dh-group14
Transform: ESP
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128

[HPE1_SPO_SW1]display ipsec policy
-------------------------------------------
IPsec Policy: BICS
Interface: Tunnel1,
Vlan-interface30
-------------------------------------------

-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Traffic Flow Confidentiality: Disabled
Security data flow: 3003
Selector mode: standard
Local address: 189.76.174.12
Remote address: 186.231.25.135
Transform set: BICS
IKE profile:
IKEv2 profile: BICS
SA duration(time based):…

[HPE1_SPO_SW1-Vlan-interface30]display this
#
interface Vlan-interface30
description Tunnel_BICS
ip binding vpn-instance VRF9
ip address 189.76.174.12 255.255.255.254
ipsec apply policy BICS
#
return

[HPE1_SPO_SW1-Tunnel1]display this
#
interface Tunnel1 mode ipv4-ipv4
service slot 1
ip address 10.246.238.204 255.255.255.254
source Vlan-interface30
destination 186.231.25.135
ipsec apply policy BICS
#
return

Log

*Aug 20 02:52:10:618 2001 HPE1_SPO_SW1 IKEV2/7/PACKET: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
Sending an IPv4 packet.
*Aug 20 02:52:10:618 2001 HPE1_SPO_SW1 IKE/7/EVENT: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
Sent data to socket successfully.
*Aug 20 02:52:10:622 2001 HPE1_SPO_SW1 IKE/7/EVENT: Received packet successfully.
*Aug 20 02:52:10:622 2001 HPE1_SPO_SW1 IKEV2/7/PACKET: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
Received packet from 186.231.25.135 source port 500 destination port 500.
*Aug 20 02:52:10:622 2001 HPE1_SPO_SW1 IKEV2/7/PACKET: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
I-SPI: 23bc896580a2a89f
R-SPI: db0faad5b188a429
Message ID: 2
Exchange type: INFORMATIONAL
Flags: RESPONSE
Next payload: ENCRYPTED, Length: 76.

The configuration is between 2 HPE 5945 SWs, both SWs with the same configuration with Local and Remote changes

Sunitha_Mod · ‎10-30-2024

Hello @Marlos,

Thank you for posting!

HPE Networking forum has moved to Aruba Airheads Community and for HPE networking and Aruba product queries, we request you to visit and post your query here: Aruba Airheads Community

You can refer to the below link as well for more details:

HPE Networking forum migration to Aruba Airheads c... - Hewlett Packard Enterprise Community

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

IPSec Tunnel Configuration on HPE 5945 SW

IPSec Tunnel Configuration on HPE 5945 SW

Re: IPSec Tunnel Configuration on HPE 5945 SW