Configuration Examples‎ > ‎HP / HPE‎ > ‎Comware v5‎ > ‎

HP MSR935 and Cisco ASA IPSEC VPN



So, I wanted to configure an IPSEC VPN between a Cisco ASA and an HP MSR935.

I've simplified the config, and put the necessary bits in - this guide doesn't cover any ADSL or NAT configuration information.

Cisco ASA to MSR935 IPSEC VPN

ASA Version: Cisco Adaptive Security Appliance Software Version 9.1(2)
MSR Version: Comware Software, Version 5.20.106, Release 2513P09

P1 - ASA
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 3600

group-policy GroupPolicy_99.99.99.99 internal
group-policy GroupPolicy_99.99.99.99 attributes
vpn-tunnel-protocol ikev1

tunnel-group 99.99.99.99 type ipsec-l2l
tunnel-group 99.99.99.99 general-attributes
 default-group-policy GroupPolicy_99.99.99.99
tunnel-group 99.99.99.99 ipsec-attributes
 ikev1 pre-shared-key cipher **C1231iPher$string
 
P1 - MSR
ike proposal 2
encryption-algorithm aes-cbc 192
dh group2
sa duration 3600

ike peer VPN-SITE1-TO-SITE2
proposal 2
pre-shared-key cipher **C1231iPher$string
remote-address 89.89.89.89
local-address 99.99.99.99
nat traversal

P2 - ASA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 99.99.99.99
crypto map outside_map 1 set ikev1 transform-set ESP-AES-192-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 1843200
crypto map outside_map interface outside

P2 - MSR
ipsec transform-set vpn.1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-cbc-192
 
ipsec policy vpn 1 isakmp
connection-name vpn.1
security acl 3001
pfs dh-group2
ike-peer VPN-SITE1-TO-SITE2
transform-set vpn.1
sa duration traffic-based 1843200
sa duration time-based 28800

INTERESTING TRAFFIC - ASA
object network SITE-1
 subnet 10.0.0.0 255.255.255.0
object network SITE-2
 subnet 192.168.10.0 255.255.255.0

access-list outside_cryptomap extended permit ip object SITE-1 object SITE-2

INTERESTING TRAFFIC - MSR
acl number 3001
 rule 5 permit ip source 10.0.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 10permit ip source 192.168.10.0 0.0.0.255 destination 10.0.10.0 0.0.0.255



Start sending traffic, and you'll notice that the VPN builds successfully - but..!!! You only get one way traffic, on the Cisco, its encaps but no decaps (the ASA is encapsulating traffic, but is not receiving anything back down)... I know the ASA pretty well, so knew it wasn't an issue there, it had to be NAT'ing or Routing on the MSR.. A quick call with HP support, and I added the following route:

ROUT CONFIGURATION - MSR
ip route-static 10.0.0.0 255.255.255.0 89.89.89.89

All of a sudden, traffic was traversing up and down the VPN.. job done



Disqus for Google Sites

The gadget spec URL could not be found