- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- WAN Routing
- >
- IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 03:16 AM
03-07-2019 03:16 AM
I need some assistance on how to configure a Client-to-Site VPN on MSR954 router using Comware 7. So I could connect to my network with my pc (using some sort of VPN client)
I've only seen site-to-site examples.
I don't really understand the whole VPN aspect or well.. how it should be done. Some explanation would be appreciated.
I have seen earlier posts about simial issue but they used comwar 5 or something older, so the commands are not the same. https://community.hpe.com/t5/WAN-Routing/IPSec-VPN-PC-to-Site-HP-A-MSR900-H3C-msr900/td-p/5377763#.XIDLVygzaUl
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2019 02:29 PM
03-12-2019 02:29 PM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
Hello Osrr
You can use below MSR security configuration guide for ipsec configuation examples. (page 355 onwards)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2019 06:30 AM
03-19-2019 06:30 AM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
I have gotten as far as I can attempt an VPN connection using Windows 10 built-in VPN.
When I try to connect, I instantly get the error message:
"The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer."
from the router ike and ipsec logs I get:
%Mar 19 13:23:01:660 2019 MSR Router IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 in Main mode IKE_P1_STATE_INIT state.
Reason: Unsupported DH group: 20.. Attribute GROUP_DESCRIPTION..
SA information:
Role: responder
Local IP: 10.10.10.2
Local ID type: Unknown
Local ID:
Local port: 500
Retransmissions: 0
Remote IP: 195.66.106.26
Remote ID type: Unknown
Remote ID:
Remote port: 500
Recived retransmissions: 0
Inside VPN instance:
Outside VPN instance:
Initiator Cookie: cd75a8493f78984c
Responder Cookie: da6b2c85f24f1ae9
Connection ID: 126
Tunnel ID: 4294967295
IKE profile name:%Mar 19 13:23:01:660 2019 MSR Router IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 in Main mode IKE_P1_STATE_INIT state.
Reason: Unsupported DH group: 19.. Attribute GROUP_DESCRIPTION..
SA information:
Role: responder
Local IP: 10.10.10.2
Local ID type: Unknown
Local ID:
Local port: 500
Retransmissions: 0
Remote IP: 195.66.106.26
Remote ID type: Unknown
Remote ID:
Remote port: 500
Recived retransmissions: 0
Inside VPN instance:
Outside VPN instance:
Initiator Cookie: cd75a8493f78984c
Responder Cookie: da6b2c85f24f1ae9
Connection ID: 126
Tunnel ID: 4294967295
IKE profile name:%Mar 19 13:23:01:661 2019 MSR Router IKE/6/IKE_P1_SA_ESTABLISH_FAIL: Failed to establish phase 1 in Main mode IKE_P1_STATE_INIT state.
Reason: No acceptable transform.
SA information:
Role: responder
Local IP: 10.10.10.2
Local ID type: Unknown
Local ID:
Local port: 500
Retransmissions: 0
Remote IP: 195.66.106.26
Remote ID type: Unknown
Remote ID:
Remote port: 500
Recived retransmissions: 0
Inside VPN instance:
Outside VPN instance:
Initiator Cookie: cd75a8493f78984c
Responder Cookie: da6b2c85f24f1ae9
Connection ID: 126
Tunnel ID: 4294967295
IKE profile name:
I have tried make the Encryption Algorythm 3DES and Authentication SHA1 but that did not work. (not 100% sure I even tried to apply it correctly, under Ike proposal and under transform-set)
I did try to config IKEv2 and use the windows IKEv2 VPN but that just gives "Policy match error"
I tried to configure the IPSec and IKE via the comware cli and via the web gui
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2019 07:50 AM - edited 03-19-2019 03:25 PM
03-19-2019 07:50 AM - edited 03-19-2019 03:25 PM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
<msr> debugging ipsec all
<msr> debugging ike all
<msr> debugging tunnel all
<msr> debugging ipsec all
<msr> terminal debugging
<msr> terminal monitor
Try your VPN client, i found that the proposal the windows 10 was requiring was not configured on the msr router.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2019 03:41 PM
03-19-2019 03:41 PM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
Also, here is my msr2003 Comware7 config that i have almost working getting
Can't find IKE SA.
#
ipsec transform-set vpn-win-client
encapsulation-mode transport
esp encryption-algorithm aes-cbc-128 aes-cbc-256
esp authentication-algorithm sha1 sha256 sha384
#
ipsec profile vpn-win-client isakmp
transform-set vpn-win-client
ike-profile vpn-win-client
#
ipsec policy vpn-win-client 1 isakmp
transform-set vpn-win-client
remote-address 192.168.0.50
ike-profile vpn-win-client
#
ike profile vpn-win-client
keychain vpn-win-client
local-identity address 192.168.0.252
match remote identity address 192.168.0.50 255.255.255.255
match local address 192.168.0.252
proposal 2
client-authentication xauth
#
ike proposal 2
encryption-algorithm 3des-cbc
dh group14
#
ike keychain vpn-win-client
pre-shared-key address 192.168.0.50 255.255.255.255 key cipher $c$3$ohiq9EBbw/v1JiT3A52zHQd7bp7pDs+kzLKLyjA=
Also here is debugging
Begin a new phase 1 negotiation as responder.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Responder created an SA for peer 192.168.0.50, local port 500, remote port 500.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Security Association Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:097 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Vendor ID Payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process vendor ID payload.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/EVENT: Vendor ID NAT-T rfc3947 is matched.
*Mar 19 17:26:25:098 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process SA payload.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 1.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is AES-CBC.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Key length is 256 bytes.
*Mar 19 17:26:25:099 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is ECP_384.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Unsupported DH group: 20.. Attribute GROUP_DESCRIPTION.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 2.
*Mar 19 17:26:25:100 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is AES-CBC.
*Mar 19 17:26:25:101 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Key length is 128 bytes.
*Mar 19 17:26:25:101 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:101 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is ECP_256.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Unsupported DH group: 19.. Attribute GROUP_DESCRIPTION.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 3.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is AES-CBC.
*Mar 19 17:26:25:102 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Key length is 256 bytes.
*Mar 19 17:26:25:103 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:103 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is 14.
*Mar 19 17:26:25:103 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Authentication method is Pre-shared key.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Lifetime type is 1.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Life duration is 28800.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Check ISAKMP transform 4.
*Mar 19 17:26:25:104 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encryption algorithm is 3DES-CBC.
*Mar 19 17:26:25:105 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
HASH algorithm is HMAC-SHA1.
*Mar 19 17:26:25:105 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
DH group is 14.
*Mar 19 17:26:25:105 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Authentication method is Pre-shared key.
*Mar 19 17:26:25:106 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Lifetime type is 1.
*Mar 19 17:26:25:106 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Life duration is 28800.
*Mar 19 17:26:25:106 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Found pre-shared key that matches address 192.168.0.50 in keychain core.
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Attributes is acceptable.
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/EVENT: Oakley transform 4 is acceptable.
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Constructed SA payload
*Mar 19 17:26:25:107 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct NAT-T rfc3947 vendor ID payload.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct XAUTH draft6 vendor ID payload.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND2.
*Mar 19 17:26:25:108 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending packet to 192.168.0.50 remote port 500, local port 500.
*Mar 19 17:26:25:109 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 136
*Mar 19 17:26:25:109 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending an IPv4 packet.
*Mar 19 17:26:25:109 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sent data to socket successfully.
*Mar 19 17:26:25:114 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 388
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:25:115 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:25:116 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Key Exchange Payload.
*Mar 19 17:26:25:116 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Nonce Payload.
*Mar 19 17:26:25:116 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP NAT-D Payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP NAT-D Payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process KE payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Process NONCE payload.
*Mar 19 17:26:25:117 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received 2 NAT-D payload.
*Mar 19 17:26:25:210 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct KE payload.
*Mar 19 17:26:25:211 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct NONCE payload.
*Mar 19 17:26:25:212 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct NAT-D payload.
*Mar 19 17:26:25:213 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct DPD vendor ID payload.
*Mar 19 17:26:25:344 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
IKE SA state changed from IKE_P1_STATE_SEND2 to IKE_P1_STATE_SEND4.
*Mar 19 17:26:25:345 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending packet to 192.168.0.50 remote port 500, local port 500.
*Mar 19 17:26:25:345 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: KE
version: ISAKMP Version 1.0
exchange mode: Main
flags:
message ID: 0
length: 376
*Mar 19 17:26:25:345 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending an IPv4 packet.
*Mar 19 17:26:25:346 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sent data to socket successfully.
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:25:351 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:25:352 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:25:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Decrypt the packet.
*Mar 19 17:26:25:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received ISAKMP Identification Payload.
*Mar 19 17:26:25:353 2019 nkpa-r1 IKE/7/ERROR: 2th byte of the structure ISAKMP Identification Payload must be 0.
*Mar 19 17:26:25:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Failed to parse phase 1 packet. Reason INVALID_PAYLOAD_TYPE.
*Mar 19 17:26:25:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Encrypt the packet.
*Mar 19 17:26:25:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Construct notification packet: INVALID_PAYLOAD_TYPE.
*Mar 19 17:26:25:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending packet to 192.168.0.50 remote port 500, local port 500.
*Mar 19 17:26:25:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 65bbaac7
length: 84
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sending an IPv4 packet.
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/EVENT: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Sent data to socket successfully.
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Failed to negotiate IKE SA.
*Mar 19 17:26:25:355 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Failed to negotiate IKE SA.
*Mar 19 17:26:26:351 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:26:351 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:26:352 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:27:352 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:27:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:27:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:30:352 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:30:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:30:352 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:30:353 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:30:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:30:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:37:352 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:37:353 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:26:52:353 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:26:52:354 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
*Mar 19 17:27:07:353 2019 nkpa-r1 IKE/7/EVENT: Received packet successfully.
*Mar 19 17:27:07:353 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Received packet from 192.168.0.50 source port 500 destination port 500.
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/PACKET: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
I-Cookie: 06ab5a44a4db5ce7
R-Cookie: 3e534ad014fd43aa
next payload: ID
version: ISAKMP Version 1.0
exchange mode: Main
flags: ENCRYPT
message ID: 0
length: 68
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/EVENT: IKE thread 1995711776 processes a job.
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/EVENT: Phase1 process started.
*Mar 19 17:27:07:354 2019 nkpa-r1 IKE/7/ERROR: vrf = 0, src=192.168.0.252, dst = 192.168.0.50/500
Can't find IKE SA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2019 03:51 AM
03-20-2019 03:51 AM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
I currently got it working with ShrewVPN client. Not the safest but works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2019 07:40 AM - edited 03-20-2019 07:43 AM
03-20-2019 07:40 AM - edited 03-20-2019 07:43 AM
SolutionIf anyone ever is stuck at this problem like I was I decided to post what my IPSec and IKE configuration for this was. It is possible to configure this via the web gui also.
On the MSR954 Router using Comware 7
ipsec transform-set IPSecTEST
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
pfs dh-group2
esn enable
#
ipsec policy-template IPSecTEST 65535
transform-set IPSecTEST
ike-profile IPSecTEST
ikev2-profile IPSecTEST
sa duration time-based 3600
sa duration traffic-based 1843200
#
ipsec policy IPSecTEST 65535 isakmp template IPSecTEST
#
ike identity fqdn your.ddns.domain //i.e. I made no-ip.com account and made myself a ddns domain
#
ike profile 65535
#
ike profile IPSecTEST
keychain IPSecTEST
match remote identity address 0.0.0.0 0.0.0.0
proposal 65535
#
ike proposal 65535
encryption-algorithm 3des-cbc
#
ike keychain IPSecTEST
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Wn6LlSQ0yrT+6qGc+qPQ66HrhQ54WhrP76GfXquKN9Q==
Configuration on the Shrew VPN client
GENERAL:
Host Name or IP Address: your.ddns.domain Port: 500
Auto Configuration: disabled
Adapter mode: Any of them worked for me, any address should be fine. MTU stays 1380
CLIENT:
Should stay default, although the "Enable Client Login Banner" is grayed out for me
NAME RESOLUTION:
Disable all (DNS/WINS) (remove the tick from the front of enable)
AUTHENTICATION:
Authentication method: Mutual PSK
Local identity ; Identification type: IP Address ; Address String: (stays empty) ; Use a discovered local host address: yes
Remote Identity ; Fully Qualified Domain Name ; FQDN String: your.ddns.domain
Credentials ; Pre Shared Key: (whatever you set as the pre shared key on IKE keychain)
PHASE 1:
Exchange Type: Aggressive
DH Exhange: group 1
Cipher Algorithm: 3des
Hash Algorithm: sha1
Key Life Time limit: 86400 secs
Key Life Data limit: 0 Kbytes
PHASE 2:
Transform Algorithm: esp-3des
HMAC Algorithm: sha1
PFS Exhange: group 2
Compress Algorithm: disabled
Key Life Time limit: 3600
Key Life Data limit: 0
POLICY:
Policy Generation Level: require
Maintain Persistent Security Associations: NO
Obtain Topology Automatically or Tunnel All: YES
To see connection logging use these commands on the router:
ike logging negotiation enable
ipsec logging negotiation enable
Let me know if there are any problem with this method.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 12:39 PM
10-14-2020 12:39 PM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
Hi,
I know this thread is a bit old, but I struggle with a client-to-msr vpn.
I would like the client to obtain an address from the MSR, and use the MSR as a default gateway for all traffic.
OR, have local breakout and only reach certain servers on a LAN behind the MSR.
As it is now, the client obtains an address, but no DNS. It is not able to reach any url´s via FQDN, only IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 10:45 PM
10-15-2020 10:45 PM
Re: IPSec VPN Client-to-Site MSR900 (MSR954) Comware 7
I think you should create a new topic instead to get answers