Comware

 View Only
last person joined: 3 days ago 

Back to discussions
Expand all | Collapse all

IPSEC Problem between MSR2003 Router and VSR1008 Router

This thread has been viewed 0 times

  • 1.  IPSEC Problem between MSR2003 Router and VSR1008 Router

    Posted Oct 13, 2016 02:44 PM

    Hello all,

     

    im having trouble setting up ipsec tunnel between two routers, vsr router is working behind one to one nat and 

    when i checked the ip i can reach it, so its working correctly, but its unable to establish the ipsec session

    any help would be appriciated.

    Regards,

    Erdem

     

    MSR Configuration

    #
interface GigabitEthernet2/0/1
 port link-mode route
 ip address 91.93.188.206 255.255.255.248
 ospf timer hello 2
 ospf timer dead 10
 ospf network-type p2mp unicast
 ospf timer poll 2
 ospf 2 area 0.0.0.1
 ipsec apply policy msr
#
acl advanced 3000 match-order auto
 rule 0 permit ip source 172.16.101.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
 rule 1 permit ip source 172.16.102.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
#
 ipsec anti-replay window 1024
 ipsec sa global-duration traffic-based 86400
 ipsec sa idle-time 120
#
ipsec transform-set msr
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy-template msr 1
 transform-set msr 
 security acl 3000 
 remote-address 88.238.51.202
 ike-profile msr
 reverse-route dynamic
 reverse-route preference 10
 reverse-route tag 100
#
ipsec policy msr 1 isakmp template msr
#
 ike identity address 91.93.188.206
 ike nat-keepalive 5
#
ike profile msr
 keychain msr
 exchange-mode aggressive
 local-identity address 91.93.188.206
 match remote identity address 88.238.51.202 255.255.255.255
 proposal 1 
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
#
ike keychain msr
 pre-shared-key address 88.238.51.202 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#

    VSR Configuration

     

    #
    interface GigabitEthernet1/0
     port link-mode route
     ip address 10.142.20.6 255.255.255.0
     ospf timer hello 2
     ospf timer dead 10
     ospf network-type p2mp unicast
     ospf dr-priority 2
     ospf timer poll 2
     ospf 2 area 0.0.0.1
     ipsec apply policy vsr
    #
    acl advanced 3000 match-order auto
     rule 0 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.101.0 0.0.0.255
     rule 1 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.102.0 0.0.0.255
    #
     ipsec anti-replay window 1024
     ipsec sa global-duration traffic-based 86400
     ipsec sa idle-time 120
    #
    ipsec transform-set vsr
     esp encryption-algorithm 3des-cbc
     esp authentication-algorithm md5
    #
    ipsec policy-template vsr 1
     transform-set vsr
     security acl 3000
     remote-address 91.93.188.206
     ike-profile vsr
     reverse-route dynamic
     reverse-route preference 10
     reverse-route tag 100
    #
    ipsec policy vsr 1 isakmp template vsr
    #
     ike identity address 88.238.51.202
     ike nat-keepalive 5
    #
    ike profile vsr
     keychain vsr
     exchange-mode aggressive
     local-identity address 88.238.51.202
     match remote identity address 91.93.188.206 255.255.255.255
     proposal 1
    #
    ike proposal 1
     encryption-algorithm 3des-cbc
     dh group2
     authentication-algorithm md5
    #
    ike keychain vsr
     pre-shared-key address 91.93.188.206 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
    #
    ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
    #

     


    #MSR
    #VSR
    #ipsec
    #msr2003