Comware

 View Only
  • 1.  IKEv2 with VPN-Instances

    Posted Sep 18, 2017 02:34 PM

    Hi

    Currently I have a working GRE/IPSec setup with IKEv1. The outside(internet facing) interfcaces are member of a VPN-Instance called "outside". The rest of the interface are in the defaule VPN-Instance.

     I really like to move this configuration to IKEv2 but i´m having problems with the VPN-Instance part of it.

    In IKEv1 I simply make the keychain member of the "outside" VPN-Instance and tell the GRE tunnel to use the "outside" VPN-Instance.

    However when switching to IKEv2 im missing how get the GRE to en encapsulated in IPSEC and transported in the "outside" VPN-Instance. IKEv2 never goes into established.

     

    Below are a working IKEv1 and my attempts to get a IKEv2 setup.

    Anyone done something like this or might be able to spot what im missing?

     

    Working IKEv1

    RouterA-IKEv1
    ip vpn-instance outside
    route-distinguisher 123:123
    #
    interface GigabitEthernet1/0/1
    description "Internet"
    port link-mode route
    ip binding vpn-instance outside
    ip address 3.3.3.1 255.255.255.0
    ipsec apply policy IpSecPolicy-1
    #
    interface GigabitEthernet1/0/2
    description "LAN"
    port link-mode route
    ip address 171.20.1.252 255.255.255.0
    #
    interface Tunnel1 mode gre
    ip address 10.1.1.2 255.255.255.252
    source GigabitEthernet1/0/1
    destination 1.1.1.1
    tunnel vpn-instance outside
    #
    ip route-static vpn-instance outside 0.0.0.0 0 3.3.3.254
    #
    acl advanced 3000
    rule 5 permit gre vpn-instance outside source 3.3.3.1 0 destination 1.1.1.1 0
    #
    ipsec transform-set IpSecTransformSet-1
    esp encryption-algorithm aes-cbc-256
    esp authentication-algorithm sha512
    pfs dh-group24
    #
    ipsec policy IpSecPolicy-1 10 isakmp
    transform-set IpSecTransformSet-1
    security acl 3000
    local-address 3.3.3.1
    remote-address 1.1.1.1
    ike-profile IkeProfile-1
    #
    ike profile IkeProfile-1
    keychain IkeKeyChain
    exchange-mode aggressive
    match remote identity address 1.1.1.1 255.255.255.255 vpn-instance outside
    proposal 10
    #
    ike proposal 10
    encryption-algorithm aes-cbc-256
    dh group24
    authentication-algorithm sha512
    sa duration 600
    #
    ike keychain IkeKeyChain vpn-instance outside
    pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$bmECnXoNrRFWI/Q4gI3KehOid+cWgiUenA==

    RouterB-IKEv1
    ip vpn-instance outside
    route-distinguisher 123:123
    #
    interface GigabitEthernet1/0/1
    description "Internet"
    port link-mode route
    ip binding vpn-instance outside
    ip address 1.1.1.1 255.255.255.0
    ipsec apply policy IpSecPolicy-1
    #
    interface GigabitEthernet1/0/2
    description "LAN"
    port link-mode route
    ip address 10.151.0.252 255.255.255.0
    #
    interface Tunnel1 mode gre
    ip address 10.1.1.1 255.255.255.252
    source GigabitEthernet1/0/1
    destination 3.3.3.1
    tunnel vpn-instance outside
    #
    ip route-static vpn-instance outside 0.0.0.0 0 1.1.1.254
    #
    acl advanced 3000
    rule 5 permit gre vpn-instance outside source 1.1.1.1 0 destination 3.3.3.1 0
    #
    #
    ipsec transform-set IpSecTransformSet-1
    esp encryption-algorithm aes-cbc-256
    esp authentication-algorithm sha512
    pfs dh-group24
    #
    ipsec policy IpSecPolicy-1 10 isakmp
    transform-set IpSecTransformSet-1
    security acl 3000
    local-address 1.1.1.1
    remote-address 3.3.3.1
    ike-profile IkeProfile-1
    #
    ike profile IkeProfile-1
    keychain IkeKeyChain
    exchange-mode aggressive
    match remote identity address 3.3.3.1 255.255.255.255 vpn-instance outside
    proposal 10
    #
    ike proposal 10
    encryption-algorithm aes-cbc-256
    dh group24
    authentication-algorithm sha512
    sa duration 600
    #
    ike keychain IkeKeyChain vpn-instance outside
    pre-shared-key address 3.3.3.1 255.255.255.255 key cipher $c$3$GH9iK18VFX/LdzAbIgBV6eK2A+83jMoAAw==

     


    Nonworking IKEv2

    RouterA-IKEv2
    ip vpn-instance outside
    route-distinguisher 123:123
    #
    interface GigabitEthernet1/0/1
    description "Internet"
    port link-mode route
    ip binding vpn-instance outside
    ip address 4.4.4.1 255.255.255.0
    ipsec apply policy IpSecPolicy-1
    #
    interface GigabitEthernet1/0/2
    description "LAN"
    port link-mode route
    ip address 10.20.1.253 255.255.255.0
    #
    interface Tunnel1 mode gre
    ip address 10.1.1.6 255.255.255.252
    source GigabitEthernet1/0/1
    destination 2.2.2.1
    tunnel vpn-instance outside
    #
    ip route-static vpn-instance outside 0.0.0.0 0 4.4.4.254
    #
    acl advanced 3000
    rule 5 permit gre vpn-instance outside source 4.4.4.1 0 destination 2.2.2.1 0
    #
    ipsec transform-set IpSecTransformSet-1
    esp encryption-algorithm aes-cbc-256
    esp authentication-algorithm sha512
    #
    ipsec policy IpSecPolicy-1 10 isakmp
    transform-set IpSecTransformSet-1
    security acl 3000
    local-address 4.4.4.1
    remote-address 2.2.2.1
    ikev2-profile IkeV2Profile-1
    #
    ikev2 keychain IkeV2KeyChain
    peer Taulov
    address 2.2.2.1 255.255.255.255
    identity address 2.2.2.1
    pre-shared-key ciphertext $c$3$NuHqjBfo3lFRqaZro+/xW0K5bdOdKPyqhA==
    #
    ikev2 profile IkeV2Profile-1
    authentication-method local pre-share
    authentication-method remote pre-share
    keychain IkeV2KeyChain
    sa duration 600
    dpd interval 10 periodic
    identity local address 4.4.4.1
    match remote identity address 2.2.2.1 255.255.255.255
    #
    ikev2 proposal 10
    encryption aes-ctr-256
    integrity sha512
    dh group24
    prf sha512
    #
    ikev2 policy IkeV2Policy-1
    match vrf name outside
    proposal 10
    #

    RouterB-IKEv2
    ip vpn-instance outside
    route-distinguisher 123:123
    #
    interface GigabitEthernet1/0/1
    description "Internet"
    port link-mode route
    ip binding vpn-instance outside
    ip address 2.2.2.1 255.255.255.0
    ipsec apply policy IpSecPolicy-1
    #
    interface GigabitEthernet1/0/2
    description "LAN"
    port link-mode route
    ip address 10.151.0.253 255.255.255.0
    #
    interface Tunnel1 mode gre
    ip address 10.1.1.5 255.255.255.252
    source GigabitEthernet1/0/1
    destination 4.4.4.1
    tunnel vpn-instance outside
    #
    ip route-static vpn-instance outside 0.0.0.0 0 2.2.2.254
    #
    acl advanced 3000
    rule 5 permit gre vpn-instance outside source 2.2.2.1 0 destination 4.4.4.1 0
    #
    ipsec transform-set IpSecTransformSet-1
    esp encryption-algorithm aes-cbc-256
    esp authentication-algorithm sha512
    #
    ipsec policy IpSecPolicy-1 10 isakmp
    transform-set IpSecTransformSet-1
    security acl 3000
    local-address 2.2.2.1
    remote-address 4.4.4.1
    ikev2-profile IkeV2Profile-1
    #
    ikev2 keychain IkeV2KeyChain
    peer Billund
    address 4.4.4.1 255.255.255.255
    identity address 4.4.4.1
    pre-shared-key ciphertext $c$3$0w8agWeKr3oNEHMkgGb86QnsYzHdmIifQA==
    #
    ikev2 profile IkeV2Profile-1
    authentication-method local pre-share
    authentication-method remote pre-share
    keychain IkeV2KeyChain
    sa duration 600
    dpd interval 10 periodic
    identity local address 2.2.2.1
    match remote identity address 4.4.4.1 255.255.255.255
    #
    ikev2 proposal 10
    encryption aes-ctr-256
    integrity sha512
    dh group24
    prf sha512
    #
    ikev2 policy IkeV2Policy-1
    match vrf name outside
    proposal 10

     


    #IKEv2


  • 2.  RE: IKEv2 with VPN-Instances

    Posted Sep 24, 2017 11:14 AM

    Hi as no one have answered on this I post my solution. This took many many hours as I cannot find any real good doc. from HPE or H3C.

    The config below are made on a MSR958 the same router have 2 tunnels : 

     * Tunnel 0 running IKEv2 within a VPN

     * Tunnel 1 running IKEv1 within another VPN

    I only show sample config for one router as the peer router are the same just with oter IPs.

     

    If you find this usefull please "kudos" and add any comments.

     

    IKEv2 setup

    - Create a VPN for the outside interface(internet) used for IKEv2
    #
    ip vpn-instance outside-3
    route-distinguisher 3:3


    - Create IKEv2 with settings as per your need. Keep special attension to the VPN
    - Warning RANT... (COMWARE now suddenly use the name "vrf".... W.T.F.!!!!!!!! COMWARE select one and stick to it!! Same goes for "simple" and "plain" in PSK for the KeyChain )
    #
    ikev2 keychain IkeV2KeyChain
    peer OtherRouter
    address 11.22.33.44 255.255.255.255
    pre-shared-key plaintext <aPSK>
    #
    ikev2 profile IkeV2Profile-1
    authentication-method local pre-share
    authentication-method remote pre-share
    keychain IkeV2KeyChain
    match vrf name outside-3
    match remote identity address 11.22.33.44 255.255.255.255
    #
    ikev2 proposal IkeV2Proposal-1
    encryption aes-ctr-256
    integrity sha512
    dh group24
    prf sha512
    #
    ikev2 policy IkeV2Policy-1
    priority 10
    match vrf name outside-3
    proposal IkeV2Proposal-1
    #

     

    - Create a IPSEC with setting as per your need
    #
    ipsec transform-set IpSecTransformSet-1
    esp encryption-algorithm camellia-cbc-256
    esp authentication-algorithm aes-xcbc-mac
    pfs dh-group24
    #
    ipsec policy IpSecPolicy-1 10 isakmp
    transform-set IpSecTransformSet-1
    security acl name aclCryptoDomain
    remote-address 11.22.33.44
    ikev2-profile IkeV2Profile-1
    #
    ipsec transform-set IpSecTransformSet-1
    esp encryption-algorithm camellia-cbc-256
    esp authentication-algorithm aes-xcbc-mac
    pfs dh-group24

     

    - Assign interface to VPN, apply IP and apply IPSEC policy
    #
    interface GigabitEthernet0/0
    ip binding vpn-instance outside-3
    ip address 1.2.3.4 255.255.255.0
    ipsec apply policy IpSecPolicy-1

    - Create tunnel interface of type GRE. Assign the tunnel to VPN. Remember source and destination IPs as well as tunnel IPs
    #
    interface Tunnel 0 mode gre
    ip address 10.11.24.54 255.255.255.252
    source GigabitEthernet0/0
    destination 11.22.33.44
    tunnel vpn-instance outside-3

    - Create a "0" route in the VPN to reach the internet
    #
    ip route-static vpn-instance outside-3 0.0.0.0 0 1.2.3.254

     

     

     

     

     

     

     

     


    IKEv1 setup

    - Create a VPN for the outside interface(internet) used for IKEv1
    #
    ip vpn-instance outside-7
    route-distinguisher 7:7

     

    - Create IKEv2 with settings as per your need. Keep special attension to the VPN
    #
    ike proposal 10
    encryption-algorithm aes-cbc-256
    dh group24
    authentication-algorithm sha512
    sa duration 1200
    #
    ike keychain IkeKeyChain vpn-instance outside-7
    pre-shared-key address 55.66.77.88 255.255.255.255 key simple <aPSK>
    #
    ike profile IkeProfile-1
    keychain IkeKeyChain
    match remote identity address 55.66.77.88 255.255.255.255 vpn-instance outside-7
    proposal 10


    - Create a IPSEC with setting as per your need
    #
    ipsec transform-set IpSecTransformSet-2
    esp encryption-algorithm aes-cbc-256
    esp authentication-algorithm sha512
    pfs dh-group14
    #
    ipsec policy IpSecPolicy-2 10 isakmp
    transform-set IpSecTransformSet-2
    security acl name aclCryptoDomain
    remote-address 55.66.77.88
    ike-profile IkeProfile-1

     

    - Assign interface to VPN, apply IP and apply IPSEC policy
    #
    interface GigabitEthernet0/1
    ip binding vpn-instance outside-7
    ip address 5.6.7.8 255.255.255.0
    ipsec apply policy IpSecPolicy-2

     

    - Create tunnel interface of type GRE. Assign the tunnel to VPN. Remember source and destination IPs as well as tunnel IPs
    #
    interface Tunnel 1 mode gre
    ip address 10.11.24.62 255.255.255.252
    source GigabitEthernet0/1
    destination 55.66.77.88
    tunnel vpn-instance outside-7
    #


    - Create a "0" route in the VPN to reach the internet
    #
    ip route-static vpn-instance outside-7 0.0.0.0 0 5.6.7.254

     

     


    Shared:
    #
    acl advanced name aclCryptoDomain
    rule 0 permit gre vpn-instance outside-3 source 1.2.3.4 0 destination 11.22.33.44 0
    rule 5 deny ip vpn-instance outside-3
    rule 10 permit gre vpn-instance outside-7 source 5.6.7.8 0 destination 55.66.77.88 0
    rule 15 deny ip vpn-instance outside-7
    #