Comware

 View Only

IPSec Tunnel Configuration on HPE 5945 SW

This thread has been viewed 3 times
  • 1.  IPSec Tunnel Configuration on HPE 5945 SW

    Posted Oct 31, 2024 10:54 AM
    IPSec Tunnel Configuration on HPE 5945 SW

    I made the following configurations between the 2 HPE 5945 switches.

    However, I was unable to align phase 1 or phase 2.

    Can anyone help and evaluate whether the configuration is correct?

    HPE1_SPO_SW1]display ikev2 proposal
    IKEv2 proposal : BICS
      Encryption: AES-CBC-128 
      Integrity: SHA1 
      PRF: 
      DH Group: MODP1024/Group2 MODP2048/Group14

     

    [HPE1_SPO_SW1]display ikev2 policy 
    IKEv2 policy: BICS
      Priority: 10
      Match local: Vlan-interface30
      Match VRF: VRF9
      Proposal: BICS

     

    [HPE1_SPO_SW1]display ikev2 profile 
    IKEv2 profile: BICS
      Priority: 100
      Match criteria:
        Remote identity ipv4 address 186.231.25.135/32
        VRF  VRF9
      Inside-vrf: 
      Local identity: address 189.76.174.12
      Local authentication method: pre-share
      Remote authentication methods: pre-share
      Keychain: BICS
      SA duration: 86400
      DPD: 
      Config-exchange:
      NAT keepalive: 
      AAA authorization:

    [HPE1_SPO_SW1]display ipsec transform-set 
    IPsec transform set: BICS
      State: complete
      Encapsulation mode: tunnel
      ESN: Disabled
      PFS: dh-group14
      Transform: ESP
      ESP protocol:
        Integrity: SHA1
        Encryption: AES-CBC-128

     

    [HPE1_SPO_SW1]display ipsec policy
    -------------------------------------------
    IPsec Policy: BICS
    Interface: Tunnel1,
               Vlan-interface30
    -------------------------------------------

     

      -----------------------------
      Sequence number: 1
      Mode: ISAKMP
      -----------------------------
      Traffic Flow Confidentiality: Disabled
      Security data flow: 3003
      Selector mode: standard
      Local address: 189.76.174.12
      Remote address: 186.231.25.135
      Transform set:  BICS
      IKE profile: 
      IKEv2 profile: BICS
      SA duration(time based):…

    [HPE1_SPO_SW1-Vlan-interface30]display this 
    #
    interface Vlan-interface30
    description Tunnel_BICS
    ip binding vpn-instance VRF9
    ip address 189.76.174.12 255.255.255.254
    ipsec apply policy BICS
    #
    return

     

    [HPE1_SPO_SW1-Tunnel1]display this 
    #
    interface Tunnel1 mode ipv4-ipv4
    service slot 1 
    ip address 10.246.238.204 255.255.255.254
    source Vlan-interface30
    destination 186.231.25.135
    ipsec apply policy BICS
    #
    return

    Log

    *Aug 20 02:52:10:618 2001 HPE1_SPO_SW1 IKEV2/7/PACKET: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
    Sending an IPv4 packet.
    *Aug 20 02:52:10:618 2001 HPE1_SPO_SW1 IKE/7/EVENT: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
    Sent data to socket successfully.
    *Aug 20 02:52:10:622 2001 HPE1_SPO_SW1 IKE/7/EVENT: Received packet successfully.
    *Aug 20 02:52:10:622 2001 HPE1_SPO_SW1 IKEV2/7/PACKET: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
    Received packet from 186.231.25.135 source port 500 destination port 500.
    *Aug 20 02:52:10:622 2001 HPE1_SPO_SW1 IKEV2/7/PACKET: vrf = 3, src=189.76.174.12, dst = 186.231.25.135/500
      I-SPI: 23bc896580a2a89f
      R-SPI: db0faad5b188a429
      Message ID: 2
      Exchange type: INFORMATIONAL
      Flags: RESPONSE
      Next payload: ENCRYPTED, Length: 76.

     

    The configuration is between 2 HPE 5945 SWs, both SWs with the same configuration with Local and Remote changes