HP MSR935 and Cisco ASA IPSEC VPN

So, I wanted to configure an IPSEC VPN between a Cisco ASA and an HP MSR935.

I've simplified the config, and put the necessary bits in - this guide doesn't cover any ADSL or NAT configuration information.

ASA Version: Cisco Adaptive Security Appliance Software Version 9.1(2)

MSR Version: Comware Software, Version 5.20.106, Release 2513P09

P1 - ASA

crypto ikev1 policy 5

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 3600

group-policy GroupPolicy_99.99.99.99 internal

group-policy GroupPolicy_99.99.99.99 attributes

vpn-tunnel-protocol ikev1

tunnel-group 99.99.99.99 type ipsec-l2l

tunnel-group 99.99.99.99 general-attributes

 default-group-policy GroupPolicy_99.99.99.99

tunnel-group 99.99.99.99 ipsec-attributes

 ikev1 pre-shared-key cipher **C1231iPher$string

P1 - MSR

ike proposal 2

encryption-algorithm aes-cbc 192

dh group2

sa duration 3600

ike peer VPN-SITE1-TO-SITE2

proposal 2

pre-shared-key cipher **C1231iPher$string

remote-address 89.89.89.89

local-address 99.99.99.99

nat traversal

P2 - ASA

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 99.99.99.99

crypto map outside_map 1 set ikev1 transform-set ESP-AES-192-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 1843200

crypto map outside_map interface outside

P2 - MSR

ipsec transform-set vpn.1

encapsulation-mode tunnel

transform esp

esp authentication-algorithm sha1

esp encryption-algorithm aes-cbc-192

ipsec policy vpn 1 isakmp

connection-name vpn.1

security acl 3001

pfs dh-group2

ike-peer VPN-SITE1-TO-SITE2

transform-set vpn.1

sa duration traffic-based 1843200

sa duration time-based 28800

INTERESTING TRAFFIC - ASA

object network SITE-1

 subnet 10.0.0.0 255.255.255.0

object network SITE-2

 subnet 192.168.10.0 255.255.255.0

access-list outside_cryptomap extended permit ip object SITE-1 object SITE-2

INTERESTING TRAFFIC - MSR

acl number 3001

 rule 5 permit ip source 10.0.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

 rule 10permit ip source 192.168.10.0 0.0.0.255 destination 10.0.10.0 0.0.0.255

Start sending traffic, and you'll notice that the VPN builds successfully - but..!!! You only get one way traffic, on the Cisco, its encaps but no decaps (the ASA is encapsulating traffic, but is not receiving anything back down)... I know the ASA pretty well, so knew it wasn't an issue there, it had to be NAT'ing or Routing on the MSR.. A quick call with HP support, and I added the following route:

ROUT CONFIGURATION - MSR

All of a sudden, traffic was traversing up and down the VPN.. job done

ip route-static 10.0.0.0 255.255.255.0 89.89.89.89

Google Sites

Report abuse