Hi Rickard.
Refurbished equipment bought via authorized distributor/reseller has the same warranty/support status as new equipment.
Comware gear is the exception in Aruba land as it has only 1 year warranty. But you can always buy a Support Pack for it. It's not that expensive and if this will be/is a production, it's well worth it.
Original Message:
Sent: Aug 24, 2024 06:31 AM
From: MSRUser19700101
Subject: MSR2003AC -> MSR2003AC tunnel issues.
Hi Gozrazd,
Thank you for the reply! Yeah i can find software on the HPE portal(your provided link) but i can't unfortunately access the firmware updates there due to the fact that i have no HPE customer account, since i bought my routers factory refurbished second hand. So in short HPE won't give it to me, and the support has just stopped answered per email after some i think well indented attempts to figure out if i could have access.
Generally:
I managed to fix my VPN/IPSEC problems, trick is to not mix GRE & GRE P2MP tunnels since ACL's don't want to "allow" the gre tunnel to become IPSEC:ed and only
lets the GRE P2MP tunnel to become IPSEC:ed + other related routing issues.
1. Do anybody know what the sequence number means in IPSEC cfg? This is unclear in the HPE techhub.
2. Has anybody managed to get TCL cli on the routers to take custom functions / actually respect the "source" directive it wont allow me to run custom functions so that i can have my script run periodically thru schedule, currently i solve a problem of DDNS and IP's using the python client on the routers and that works, but loading the interpreter each time one an hour creates a network slowdown / glitch for 2-3sec due to CPU consumption.
Best Rickard.
Original Message:
Sent: Aug 07, 2024 07:25 AM
From: GorazdKikelj
Subject: MSR2003AC -> MSR2003AC tunnel issues.
Latest FW version is 7.10 R6749P21
Your version is very old from 2020.
You can get it with valid support contract from networkingsupport.hpe.com portal
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Jul 31, 2024 05:22 AM
From: MSRUser19700101
Subject: MSR2003AC -> MSR2003AC tunnel issues.
Hi,
1.
Maybe i should simplify the problem a bit, so what is not working is that users accessing the internal network thru L2TP/IPSEC VPN to one MSR2003AC(VPN node) router can't reach another network connected thru a IPSEC/GRE tunnel between said router and another identical router.
I have temporarely disabled the IPSEC cfg over the router -> router GRE tunnel(bridge) for convenience which can be seen in the config provided below, its not a error.
And removed some extra stuff such as attack defens for now to keep it to a bare minimum.
What currently works:
(user)lt2p/ipsec vpn --> router A(1.1.1.1) --> LAN(172.18.0.0/16).
(user) LAN A(172.18.0.0/16) --> (gre/ipsec) --> LAN B(172.19.0.0/16).
(user) LAN B(172.19.0.0/16) --> (gre/ipsec) --> LAN A(172.18.0.0/16).
What does NOT work and i need help with:
(user) lt2p/ipsec vpn --> router A(1.1.1.1) --> (gre/ipsec) --> router B(2.2.2.1) --> LAN(172.19.0.0/16).
2.
I also wonder if anybody out there has the latest firmware for these routers, or maybe i already have the latest versions of boot+fw ?!? Current version is: msr2000-cmw710-boot-r0707p12
I have attached the cfg file for the VPN capable node.
# version 7.1.064, Release 0707P12# sysname mydomain# clock timezone zone1 add 02:00:00# packet-filter default deny#aspf policy 1 detect dns detect ftp detect http detect rtsp detect smtp # ip pool l2tp-p2mp-ipv4pool1 192.168.254.200 192.168.254.250 ip pool l2tp-p2mp-ipv4pool1 gateway 192.168.254.1 #nat address-group 0 address interface GigabitEthernet0/0# dhcp enable# dns proxy enable dns server 1.2.3.4# password-recovery enable#vlan 1#controller Cellular0/0#interface Aux0#interface Virtual-Template0#interface Virtual-Template1 ppp authentication-mode ms-chap-v2 remote address pool l2tp-p2mp-ipv4pool1 ip address 192.168.254.1 255.255.255.0 tcp mss 1280#interface NULL0#interface GigabitEthernet0/0 port link-mode route ip address 1.1.1.1 255.0.0.0 packet-filter name GE0/0-inbound inbound packet-filter name GE0/0-outbound outbound aspf apply policy 1 outbound nat outbound 2000 ipsec apply policy ipsec-permtun-pol1#interface GigabitEthernet0/1 port link-mode route ip address 172.18.1.1 255.255.0.0 packet-filter name GE0/1-inbound inbound packet-filter name GE0/1-outbound outbound#interface Tunnel0 mode gre ip address 192.168.240.1 255.255.255.0 tcp mss 1280 source GigabitEthernet0/0 destination 2.2.2.1 gre key 123456789 gre checksum#security-zone name Local#security-zone name Trust#security-zone name DMZ#security-zone name Untrust#security-zone name Management# scheduler logfile size 16#scheduler job greupdate1 command 0 python pupdategre.py #scheduler schedule greeupdateschedule1 user-role network-admin#scheduler schedule greupdateschedule1 user-role network-admin job greupdate1 time repeating interval 5#line class aux user-role network-admin#line class tty user-role network-operator#line class vty user-role network-operator#line aux 0 speed 115200 authentication-mode scheme user-role network-admin#line vty 0 1 authentication-mode scheme user-role network-admin user-role network-operator#line vty 2 63 authentication-mode scheme user-role network-operator# ip route-static 0.0.0.0 0 GigabitEthernet0/0 1.1.1.250 permanent ip route-static 172.19.0.0 16 Tunnel0 permanent# ssh server enable sftp server enable# ntp-service unicast-server se.pool.ntp.org#acl basic 2000 rule 0 permit source 172.18.0.0 0.0.255.255#acl advanced 3100 rule 0 permit gre source 1.1.1.1 destination 2.2.2.1 0#acl advanced name GE0/0-inbound rule 100 deny tcp destination-port eq 22 rule 105 deny tcp destination-port eq 8080 rule 106 deny tcp destination-port eq 8443 rule 65534 permit ip#acl advanced name GE0/0-outbound rule 65534 permit ip#acl advanced name GE0/1-inbound rule 65534 permit ip#acl advanced name GE0/1-outbound rule 65534 permit ip# password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control update-interval 0 password-control login idle-time 0 password-control complexity user-name check#domain system authentication ppp local# domain default enable system#role name level-0 description Predefined level-0 role#role name level-1 description Predefined level-1 role#role name level-2 description Predefined level-2 role#role name level-3 description Predefined level-3 role#role name level-4 description Predefined level-4 role#role name level-5 description Predefined level-5 role#role name level-6 description Predefined level-6 role#role name level-7 description Predefined level-7 role#role name level-8 description Predefined level-8 role#role name level-9 description Predefined level-9 role#role name level-10 description Predefined level-10 role#role name level-11 description Predefined level-11 role#role name level-12 description Predefined level-12 role#role name level-13 description Predefined level-13 role#role name level-14 description Predefined level-14 role#user-group system#local-user admin class manage service-type ssh terminal http https authorization-attribute user-role network-admin#local-user vpntestuser class network password cipher $thisisafakehash= access-limit 2 service-type ppp authorization-attribute user-role network-operator#public-key peer 172.19.1.1 public-key-code begin 123fakenmb public-key-code end peer-public-key end#cwmp cwmp enable#ipsec transform-set ipsec-p2mp-set1 encapsulation-mode transport esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha256 ah authentication-algorithm sha256 pfs dh-group14#ipsec transform-set ipsec-permtun-set1 esp encryption-algorithm aes-cbc-256 esp authentication-algorithm sha512 pfs dh-group24#ipsec policy-template ipsec-permtun-temp1 1 transform-set ipsec-p2mp-set1 reverse-route dynamic reverse-route preference 100 reverse-route tag 1000#ipsec policy ipsec-permtun-pol1 10 isakmp template ipsec-permtun-temp1#l2tp-group 1 mode lns allow l2tp virtual-template 1 undo tunnel authentication tunnel name l2tp-p2mp-tunnel# l2tp enable# ike dpd interval 5 periodic#ike proposal 1 encryption-algorithm aes-cbc-256 dh group24 authentication-algorithm sha512 sa duration 60 description sk <-> kh tunnel, highest possible settings.#ike proposal 2 encryption-algorithm aes-cbc-256 dh group14 authentication-algorithm sha384 sa duration 60 description MS-W10> Compatible#ike keychain ikep2mpkey1 match local address GigabitEthernet0/0 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $mysecretkeyhash#ike keychain ikepermtunkey1 match local address GigabitEthernet0/0 pre-shared-key address 2.2.2.1 255.255.255.0 key cipher $mysecrethash ip http port 8080 ip https port 8443 ip http enable ip https enable#return
Rick.
Original Message:
Sent: Jul 25, 2024 04:02 PM
From: MSRUser19700101
Subject: MSR2003AC -> MSR2003AC tunnel issues.
Hi HPE/ARUBA community!
I have a situation running two(2) MSR2003AC routers one i a city office and one in a small factory. I have successfully managed to install the two routers and set them up using L3 port mode for WAN and LAN (only one vlan exists VLAN 1) in CFG the two routers can communicate with each other over a GRE/IPSEC tunnel, the intention is to use this as a permanent bridge joining the two lan networks 172.18.0.0/16 and 172.19.0.0/16 respectively, if a client on either LAN tries to ping any host on the other LAN it just works which is great, servers or other clients can be accessed and so on. The problem I'm facing is when external users log into the network using a L2TP/IPSEC VPN tunnel to router1 running 172.18.0.0/16 network and then tries to access router2s lan network 172.19.0.0/16 this just don't work. I can set the VPN client (windows native vpn) to add a route to 172.18.0.0/16 and the client gets full access to that network but if i add a route to 172.19.0.0/16 thru 172.18.1.1 or tunnel GW 192.168.254.1 i just get no response on ICMP ping 172.19.1.1 or trying to access a webserver on 172.19.10.1 can anybody kindly provide me with any pointers?
Best regards,
Rick.