- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- WAN Routing
- >
- Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco A...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2017 10:48 AM
04-04-2017 10:48 AM
Anyone have a working VPN between MSR on Comware 7 and a Cisco ASA? I've faught with this for over a week now and can't find any answers to this.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2017 11:12 AM - edited 04-04-2017 11:13 AM
04-04-2017 11:12 AM - edited 04-04-2017 11:13 AM
Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.
Sha1 , aes,
What firmware on the hp msr 2003?
To display supported encryption on msr,
display crypto-engine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2017 11:28 AM - edited 04-04-2017 11:29 AM
04-04-2017 11:28 AM - edited 04-04-2017 11:29 AM
Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.
I have the tunnel working but only in 1 direction. As in I can be on a server on the ASA lan network and I can access hosts behind the MSR on the MSR lan but it doesn't work if I try to access a host on the ASA lan thru the VPN on the MSR lan.
At first I was using 3DES-MD5 but just to try something different I am now setup with AES-128-SHA1 and same results after I reconfigured on both sides. My guess as to what is going on is the MSR doesn't recognize the traffic to the other network even though "display ipsec tunnel" and "display ipsec sa" show the local and remote networks proplery. In the world of Cisco and ASA you have to setup some type of "no nat" rule so the VPN traffic is not nat'ed before it goes out the VPN tunnel. I found a command called "ipsec no-nat-process enable" but that is for Comware v5. I have google'd like crazy trying to find the equivalent for MSR/Comware 7 devices and I cannot find anything that will make this tunnel work in both directions.
To be clear, when I say both directions, technically it does work in both directions, just only if the traffic is initiated from the Cisco ASA side. I can send and receive packets and normal traffic flows thru the vpn. Anything initiated from the MSR does not work. I have debug crypto all, debug ipsec all and debug ike all set and terminal mon and terminal debug on. When you send traffic from the ASA I can see a pile of log entries showing the tunnel being created etc. If I do a simple ping from the MSR to an IP on the ASA lan nothing shows up in debug log display.
here is the display crypto-engine you asked for.
display crypto-engine
Crypto engine name: freescale sec dirver
Crypto engine state: Enabled
Crypto engine type: Hardware
Slot ID: 0
CPU ID: 0
Crypto engine ID: 0
Symmetric algorithms: des-cbc des-ecb 3des-cbc 3des-ecb aes-cbc aes-ecb aes-ctr md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc-hmac
Asymmetric algorithms: dh-group1 dh-group2 dh-group5 dh-group14
Random number generation function: Supported
Crypto engine name: Software crypto engine
Crypto engine state: Enabled
Crypto engine type: Software
Slot ID: 0
CPU ID: 0
Crypto engine ID: 1
Symmetric algorithms: des-cbc 3des-cbc aes-cbc aes-ecb aes-ctr camellia_cbc md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc aes-xcbc-hmac
Asymmetric algorithms:
Random number generation function: Supported
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2017 11:29 AM
04-04-2017 11:29 AM
Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.
Also found this via Google, comware 5, but should be a nice guide?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2017 11:38 AM
04-04-2017 11:38 AM
Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2017 12:00 PM
04-04-2017 12:00 PM
Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.
Some of the comware 5 commands don't work in 7. For example ike peer, doesn't worka nymore. There are other commands that have it working.
i will lookingo the ip route-static command again. I tried it once but it didn't work. I'm not sure how to set it up other than to force local lan traffic to the remote peer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2017 09:15 AM
04-11-2017 09:15 AM
SolutionAssuming you are doing outbound nat there will be an access-list assigned for that nat traffic. You need to put in deny rules for your interesting traffic then nat won't process them. I beleive this is the comware 7 method of the old comware 5 "ipsec no-nat-process enable"