Comware

 View Only

  • 1.  Site to Site connection MS Azure using Comware Router based

    Posted Jan 30, 2018 02:04 AM

    Hi all,

    I'm trying to connect a Comware v7 device to MS-Azure using the router based Site to Site VPN solution based on the Cisco ASR example configuration supplied by Microsoft.

    The Ikev2 SA shows connectivity has been established:

     Tunnel ID   Local                       Remote                      Status
      ---------------------------------------------------------------------------
      835         213.125.252.xx/500          52.166.94.xx/500            EST

    I have created the config but I get errors on the Ikev2 ST :

     No proposal chosen: 1151

    When inspecting the logfiles I see three errors:

    GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  Construct CERTREQ payload failed.

    Some time later:

    GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  match proposal failed.
    GobyRouter954 IKEV2/7/ERROR: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  Failed to parse payloads about Child SA.

    And then this:

    GobyRouter954 IKEV2/7/FSM: vrf = 0, src=213.125.252.xx, dst = 52.166.94.xx/500  (Tunnel ID 241): Deleting negotiation context.

    As far as i can see the config is exactly the same as the one for the Cisco.

    I can't find these error's in the HP documentation and I kind of stuck. Can anybody give me a qlue where I must look to solve this?

    Help is much appriciated.


    #HProuter
    #MSR
    #Comwarev7
    #Azure


  • 2.  RE: Site to Site connection MS Azure using Comware Router based

    Posted Feb 01, 2018 04:16 PM

    Hi there again,

    After investigating the log file very closely I saw that the Comware v7 implemetation of the Ikev2 is not complete. In these logfile I noticed the following:

    *Jan 31 17:46:19:847 2018 GobyRouter954 IKE/7/EVENT: vrf = 0, local = 213.125.252.xx, remote = 52.166.94.xx/500 Begin Main mode exchange.
    *Jan 31 17:46:19:848 2018 GobyRouter954 IKE/7/ERROR: vrf = 0, local = 213.125.252.xx, remote = 52.166.94.xx/500 Failed to negotiate IKE SA.
    *Jan 31 17:46:19:853 2018 GobyRouter954 IPSEC/7/EVENT: Sent delete SA message to all nodes, message type is 0x16.

    This is exactly where it goes wrong. Within the ipsec command in Comware it is not possible to add in a Ikev2 profile. You can only add a Ike profile and MS Azure needs a Ikev2 profile to succes the negosiations to create the SA.

    So now I investigated the Policy based optie in a other thread.

    If anybody has a better idea please let me know.



  • 3.  RE: Site to Site connection MS Azure using Comware Router based

    Posted Apr 10, 2018 04:04 AM

    Hi,

    we've managed to get a (sort of) route-based connection using the following config. We're using VSR based routers (Comware7). Unfortunately there are no IPSEC Tunnel Interfaces available, so the traffic that should be encrypted needs to match an ACL From time to time the tunnel breaks and even an "reset ipsec sa" and/or "reset ikev2 sa fast" does not help, so the whole instance needs to be rebootet. But apart from this issue it's running stable in between.

    BR,

    Michael

    ------------------------------------------------------------------------------------------
    ipsec transform-set ts1
     esp encryption-algorithm aes-cbc-256
     esp authentication-algorithm sha1 md5 aes-xcbc-mac
    #
    ipsec policy ipsec-azure 10 isakmp
     transform-set ts1
     security acl 3333
     local-address <Local-Public-IP>
     remote-address <Azure-GW-IP>
     ikev2-profile ikev2-profile-azure
     sa duration time-based 3600
    #
     ipsec policy ipsec-azure local-address GigabitEthernet1/0
    #
    ikev2 keychain azure_keychain
     peer azure-westeurope
      address <Azure-GW-IP> 255.255.255.255
      pre-shared-key ciphertext <ciphertext>
    #
    ikev2 profile ikev2-profile-azure
     authentication-method local pre-share
     authentication-method remote pre-share
     keychain azure_keychain
     sa duration 28800
     dpd interval 60 on-demand
     identity local address <Local-Public-IP>
     config-exchange set send
     config-exchange set accept
     match remote identity address <Azure-GW-IP> 255.255.255.255
    #
    ikev2 proposal azure_prop
     encryption aes-cbc-256
     integrity sha1
     dh group2
     prf sha1 sha256 md5 aes-xcbc-mac
    #
    ikev2 policy ike-azure
     proposal azure_prop
     match local address <Local-Public-IP>
    #

    bgp <Local-AS-Numver>
     router-id <Loopback-IP>
     peer <Azure-GW-internal-IP> as-number <Remote-AS>
     peer <Azure-GW-internal-IP> ebgp-max-hop 2
     peer <Azure-GW-internal-IP> source-address <Loopback-IP>
     #
     address-family ipv4 unicast
      import-route static
      peer <Azure-GW-internal-IP> enable
    #

    acl advanced 3333
     description IPsec ACL
     rule 5 permit ip source <Loopback-IP> 0 destination <Azure-GW-internal-IP> 0
     rule 10 permit ip destination <your-Azure-Prefix> <your-Prefix-Wildcard>
     rule 50 deny ip
    #

    interface GigabitEthernet1/0
     port link-mode route
     ip address <Local-Public-IP> <Mask>
     tcp mss 1350
     ipsec apply policy ipsec-azure
     ipsec df-bit clear
    #
    --------------------------------------------------------------------------------------------------

     

     



Related Content