HPE Community
WAN Routing
1752795 Members
5656 Online
108789 Solutions
New Discussion

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

 
SOLVED
Go to solution
padair
Occasional Contributor

‎04-04-2017 10:48 AM

‎04-04-2017 10:48 AM

IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

Anyone have a working VPN between MSR on Comware 7 and a Cisco ASA?  I've faught with this for over a week now and can't find any answers to this.

0 Kudos
6 REPLIES 6
Paul Kurtz
HPE Pro

‎04-04-2017 11:12 AM - edited ‎04-04-2017 11:13 AM

‎04-04-2017 11:12 AM - edited ‎04-04-2017 11:13 AM

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

Can you provide any specifics around encryption and encapsulation used?

Sha1 , aes,

What firmware on the hp msr 2003?

To display supported encryption on msr,

display crypto-engine
I am a HPE Employee
0 Kudos
padair
Occasional Contributor

‎04-04-2017 11:28 AM - edited ‎04-04-2017 11:29 AM

‎04-04-2017 11:28 AM - edited ‎04-04-2017 11:29 AM

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

I have the tunnel working but only in 1 direction.  As in I can be on a server on the ASA lan network and I can access hosts behind the MSR on the MSR lan but it doesn't work if I try to access a host on the ASA lan thru the VPN on the MSR lan.

At first I was using 3DES-MD5 but just to try something different I am now setup with AES-128-SHA1 and same results after I reconfigured on both sides.  My guess as to what is going on is the MSR doesn't recognize the traffic to the other network even though "display ipsec tunnel" and "display ipsec sa" show the local and remote networks proplery.  In the world of Cisco and ASA you have to setup some type of "no nat" rule so the VPN traffic is not nat'ed before it goes out the VPN tunnel.  I found a command called "ipsec no-nat-process enable" but that is for Comware v5.  I have google'd like crazy trying to find the equivalent for MSR/Comware 7 devices and I cannot find anything that will make this tunnel work in both directions. 

To be clear, when I say both directions, technically it does work in both directions, just only if the traffic is initiated from the Cisco ASA side.  I can send and receive packets and normal traffic flows thru the vpn.  Anything initiated from the MSR does not work.  I have debug crypto all, debug ipsec all and debug ike all set and terminal mon and terminal debug on.  When you send traffic from the ASA I can see a pile of log entries showing the tunnel being created etc.  If I do a simple ping from the MSR to an IP on the ASA lan nothing shows up in debug log display. 

here is the display crypto-engine you asked for.

display crypto-engine
  Crypto engine name: freescale sec dirver
  Crypto engine state: Enabled
  Crypto engine type: Hardware
  Slot ID: 0
  CPU ID: 0
  Crypto engine ID: 0
  Symmetric algorithms: des-cbc des-ecb 3des-cbc 3des-ecb aes-cbc aes-ecb aes-ctr md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc-hmac
  Asymmetric algorithms: dh-group1 dh-group2 dh-group5 dh-group14
  Random number generation function: Supported

  Crypto engine name: Software crypto engine
  Crypto engine state: Enabled
  Crypto engine type: Software
  Slot ID: 0
  CPU ID: 0
  Crypto engine ID: 1
  Symmetric algorithms:  des-cbc 3des-cbc aes-cbc aes-ecb aes-ctr camellia_cbc md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-hmac sha2-512-hmac aes-xcbc aes-xcbc-hmac
  Asymmetric algorithms:
  Random number generation function: Supported

0 Kudos
Paul Kurtz
HPE Pro

‎04-04-2017 11:29 AM

‎04-04-2017 11:29 AM

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

http://www.networktasks.co.uk/environments/hp/comware-v5/hp-msr935-and-cisco-asa-ipsec-vpn

Also found this via Google, comware 5, but should be a nice guide?
I am a HPE Employee
0 Kudos
Paul Kurtz
HPE Pro

‎04-04-2017 11:38 AM

‎04-04-2017 11:38 AM

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

Maybe the static route is needed on the msr like in the post.
I am a HPE Employee
0 Kudos
padair
Occasional Contributor

‎04-04-2017 12:00 PM

‎04-04-2017 12:00 PM

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

Some of the comware 5 commands don't work in 7.  For example ike peer, doesn't worka nymore.  There are other commands that have it working.

i will lookingo the ip route-static command again.  I tried it once but it didn't work.  I'm not sure how to set it up other than to force local lan traffic to the remote peer?

0 Kudos
padair
Occasional Contributor

‎04-11-2017 09:15 AM

‎04-11-2017 09:15 AM

Solution

Re: IPSEC VPN From MSR 2003 (Comware 7) to Cisco ASA.

Assuming you are doing outbound nat there will be an access-list assigned for that nat traffic.  You need to put in deny rules for your interesting traffic then nat won't process them.  I beleive this is the comware 7 method of the old comware 5 "ipsec no-nat-process enable"

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.