Hi as no one have answered on this I post my solution. This took many many hours as I cannot find any real good doc. from HPE or H3C.
The config below are made on a MSR958 the same router have 2 tunnels :
* Tunnel 0 running IKEv2 within a VPN
* Tunnel 1 running IKEv1 within another VPN
I only show sample config for one router as the peer router are the same just with oter IPs.
If you find this usefull please "kudos" and add any comments.
IKEv2 setup
- Create a VPN for the outside interface(internet) used for IKEv2
#
ip vpn-instance outside-3
route-distinguisher 3:3
- Create IKEv2 with settings as per your need. Keep special attension to the VPN
- Warning RANT... (COMWARE now suddenly use the name "vrf".... W.T.F.!!!!!!!! COMWARE select one and stick to it!! Same goes for "simple" and "plain" in PSK for the KeyChain )
#
ikev2 keychain IkeV2KeyChain
peer OtherRouter
address 11.22.33.44 255.255.255.255
pre-shared-key plaintext <aPSK>
#
ikev2 profile IkeV2Profile-1
authentication-method local pre-share
authentication-method remote pre-share
keychain IkeV2KeyChain
match vrf name outside-3
match remote identity address 11.22.33.44 255.255.255.255
#
ikev2 proposal IkeV2Proposal-1
encryption aes-ctr-256
integrity sha512
dh group24
prf sha512
#
ikev2 policy IkeV2Policy-1
priority 10
match vrf name outside-3
proposal IkeV2Proposal-1
#
- Create a IPSEC with setting as per your need
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm camellia-cbc-256
esp authentication-algorithm aes-xcbc-mac
pfs dh-group24
#
ipsec policy IpSecPolicy-1 10 isakmp
transform-set IpSecTransformSet-1
security acl name aclCryptoDomain
remote-address 11.22.33.44
ikev2-profile IkeV2Profile-1
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm camellia-cbc-256
esp authentication-algorithm aes-xcbc-mac
pfs dh-group24
- Assign interface to VPN, apply IP and apply IPSEC policy
#
interface GigabitEthernet0/0
ip binding vpn-instance outside-3
ip address 1.2.3.4 255.255.255.0
ipsec apply policy IpSecPolicy-1
- Create tunnel interface of type GRE. Assign the tunnel to VPN. Remember source and destination IPs as well as tunnel IPs
#
interface Tunnel 0 mode gre
ip address 10.11.24.54 255.255.255.252
source GigabitEthernet0/0
destination 11.22.33.44
tunnel vpn-instance outside-3
- Create a "0" route in the VPN to reach the internet
#
ip route-static vpn-instance outside-3 0.0.0.0 0 1.2.3.254
IKEv1 setup
- Create a VPN for the outside interface(internet) used for IKEv1
#
ip vpn-instance outside-7
route-distinguisher 7:7
- Create IKEv2 with settings as per your need. Keep special attension to the VPN
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group24
authentication-algorithm sha512
sa duration 1200
#
ike keychain IkeKeyChain vpn-instance outside-7
pre-shared-key address 55.66.77.88 255.255.255.255 key simple <aPSK>
#
ike profile IkeProfile-1
keychain IkeKeyChain
match remote identity address 55.66.77.88 255.255.255.255 vpn-instance outside-7
proposal 10
- Create a IPSEC with setting as per your need
#
ipsec transform-set IpSecTransformSet-2
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
pfs dh-group14
#
ipsec policy IpSecPolicy-2 10 isakmp
transform-set IpSecTransformSet-2
security acl name aclCryptoDomain
remote-address 55.66.77.88
ike-profile IkeProfile-1
- Assign interface to VPN, apply IP and apply IPSEC policy
#
interface GigabitEthernet0/1
ip binding vpn-instance outside-7
ip address 5.6.7.8 255.255.255.0
ipsec apply policy IpSecPolicy-2
- Create tunnel interface of type GRE. Assign the tunnel to VPN. Remember source and destination IPs as well as tunnel IPs
#
interface Tunnel 1 mode gre
ip address 10.11.24.62 255.255.255.252
source GigabitEthernet0/1
destination 55.66.77.88
tunnel vpn-instance outside-7
#
- Create a "0" route in the VPN to reach the internet
#
ip route-static vpn-instance outside-7 0.0.0.0 0 5.6.7.254
Shared:
#
acl advanced name aclCryptoDomain
rule 0 permit gre vpn-instance outside-3 source 1.2.3.4 0 destination 11.22.33.44 0
rule 5 deny ip vpn-instance outside-3
rule 10 permit gre vpn-instance outside-7 source 5.6.7.8 0 destination 55.66.77.88 0
rule 15 deny ip vpn-instance outside-7
#