Comware

 View Only
Back to discussions
Expand all | Collapse all

IPsec site-to-site VPN MSR 900

This thread has been viewed 1 times

  • 1.  IPsec site-to-site VPN MSR 900

    Posted Jan 04, 2012 05:01 AM

    I recently updated the router firmware to the latest version (V5.20R2207P38).

    The previous version had a command at the interface level which allowed to "ipsec no-nat-process enable". The current firmware doesn't have this command and I cannot get a working configuration.

    If I enable nat outbound at the interface level, no packets are going into the IPsec channel, if I disable it the IPsec channel works well but the clients cannot access the internet.

     

    The original configration was:

     

    #
    version 5.20, Release 2104P02
    #
    sysname xxxxxx
    #
    super password level 3 cipher zzzzzzzzzzzzzzzzzzzzzzz
    #
    domain default enable system
    #
    dns proxy enable
    #
    dar p2p signature-file flash:/p2p_default.mtd
    #
    port-security enable
    #
    acl number 3140
    rule 0 permit ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
    rule 1 permit ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
    #
    vlan 1
    #
    domain system
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    #
    ike peer mlsz_center
    pre-shared-key cipher cccccccccccccccccccccccccccccccccc
    remote-address X.X.X.X
    #
    ipsec proposal mlsz_globall
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des
    #
    ipsec policy mlszs2s 1 isakmp
    connection-name mlsz_center
    security acl 3140
    ike-peer mlsz_center
    proposal mlsz_globall
    #
    dhcp server ip-pool vlan1 extended
    network ip range 192.168.236.100 192.168.236.200
    network mask 255.255.255.0
    gateway-list 192.168.236.1
    dns-list 192.168.221.5 8.8.8.8
    #
    user-group system
    #
    local-user admin
    password cipher aaaaaaaaaaaaaaaaaaaaaaaa
    authorization-attribute level 3
    service-type telnet
    #
    cwmp
    undo cwmp enable
    #
    interface Cellular0/0
    async mode protocol
    link-protocol ppp
    #
    interface Ethernet0/0
    port link-mode route
    nat outbound
    ip address Y.Y.Y.Y 255.255.255.252
    ipsec no-nat-process enable
    ipsec policy mlszs2s
    dns server Y.Y.Y.X
    #
    interface Ethernet0/1
    port link-mode route
    #
    interface NULL0
    #
    interface Vlan-interface1
    ip address 192.168.236.1 255.255.255.0
    dhcp server apply ip-pool vlan1
    #
    interface Ethernet0/2
    port link-mode bridge
    #
    interface Ethernet0/3
    port link-mode bridge
    #
    interface Ethernet0/4
    port link-mode bridge
    #
    interface Ethernet0/5
    port link-mode bridge
    #
    ip route-static 0.0.0.0 0.0.0.0 Ethernet0/0 Y.Y.Y.C
    #
    dhcp enable
    #
    ssh server enable
    #
    nms primary monitor-interface Ethernet0/0
    #
    load xml-configuration
    #
    load tr069-configuration
    #
    user-interface con 0
    user-interface tty 13
    user-interface vty 0 4
    authentication-mode scheme
    protocol inbound ssh
    #
    return


    #vpn


  • 2.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 08, 2012 12:43 PM

    Did you find the answer to this ? I have the same problem



  • 3.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 09, 2012 03:25 AM

    Not yet. I tried to solve it with HP support, without success.



  • 4.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 09, 2012 05:47 AM

    Thats bad



  • 5.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 19, 2012 03:28 AM

    ...

    acl number 3150
    rule 0 deny ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
    rule 1 deny ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

    rule 2 permit ip source 192.168.236.0 0.0.0.255

    #

    interface Ethernet0/0
    port link-mode route
    nat outbound 3150
    ip address Y.Y.Y.Y 255.255.255.252
    ipsec policy mlszs2s
    dns server Y.Y.Y.X

    ...

    OK?



  • 6.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 19, 2012 05:20 AM

    I tried it but doesn't work. :-(

     



  • 7.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 19, 2012 11:27 PM

    ...

    #

    ike peer mlsz_center
    pre-shared-key cipher cccccccccccccccccccccccccccccccccc
    remote-address X.X.X.X

    nat traversal

    #

    ...



  • 8.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 21, 2012 10:59 AM
    Still does not working.

    By the way the VPN connection behaves the same way in both case.


  • 9.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 22, 2012 03:25 AM

    I think i found the problem. Please change your acl to to permit ip any destination (your destination) and let me know



  • 10.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 22, 2012 03:27 AM

    acl number

    rule 0 permit ip source any destination 192.168.221.0 0.0.0.255
    rule 1 permit ip source any destination 10.0.0.0 0.0.0.255



  • 11.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 22, 2012 03:29 AM

    Note that this is just for troubleshooting



  • 12.  RE: IPsec site-to-site VPN MSR 900

    Posted Mar 28, 2012 06:23 AM

    Tested and worked.

     

    acl number 3140
    rule 0 permit ip source 192.168.236.0 0.0.0.255 destination 192.168.221.0 0.0.0.255
    rule 1 permit ip source 192.168.236.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

    acl number 3150
    rule 0 deny ip source any destination 192.168.221.0 0.0.0.255
    rule 1 deny ip source any destination 10.0.0.0 0.0.0.255
    rule 2 permit ip source 192.168.236.0 0.0.0.255

     

    interface Ethernet0/0
    port link-mode route
    nat outbound 3150
    ip address Y.Y.Y.Y 255.255.255.252
    ipsec policy mlszs2s
    dns server Y.Y.Y.X

    ipsec policy mlszs2s 1 isakmp
    connection-name mlsz_center
    security acl 3140
    ike-peer mlsz_center
    proposal mlsz_globall



  • 13.  RE: IPsec site-to-site VPN MSR 900

    Posted Jul 08, 2015 05:30 AM

    need to deal with acl very carefully. otherwise our device or network maybe under attack.



  • 14.  RE: IPsec site-to-site VPN MSR 900

    Posted Apr 01, 2012 01:14 AM
      |   view attached

    Hello

     

    You can also try this:

     

    Upgrade the firmware to the latest version (R2209) because it contains all the fixes and software updates from the previous versions and the command "ipsec no-nat-process enable" has been implemented again in version R2207P45.

     

    I upgraded last night and the command is there.

    Tell me if it works.

     

    Regards,

    Alex



Related Content