Hi,
Any Comware 7 experts on here?
We're trying to setup an S2S VPN between our HPE MSR3044 and an Checkpoint 1550 Appliance that has dual WAN failover, we are able to create the tunnel between the primary WAN link on the Checkpoint and the MSR with no issues, the trouble starts when we try to add the failover link to the mix.
VPN works perfectly on the primary WAN, when we do a failover there will be a short connection loss and then the VPN will start up on the failover, which is fine and expected. The issue starts when we try to fallback to the primary WAN, the MSR keeps the phase 2 alive on the backup and creates a new phase 2 for the primary, but pass no traffic, I'm guessing because it now has two alive phase 1 and 2 and it can't decide where to route the traffic.
If I manually delete the phase 1 and 2 for both interfaces on the MSR it'll renegotiate and establish the tunnel again.
Here's the relevant config on the MSR, if you need something else I'll provide it:
MSR WAN: 1.1.1.178/29
Checkpoint primary WAN: 2.2.2.145/24
Checkpoint backup WAN: 3.3.3.4/29
MSR LAN: XXX.XXX.XXX.2/24
Checkpoint LAN: YYY.YYY.YYY.1/24
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address dhcp-alloc
port link-aggregation group 1
#
interface GigabitEthernet2/0/0
port link-mode route
combo enable copper
port link-aggregation group 1
#
interface Route-Aggregation1
ip address 1.1.1.178 255.255.255.248
packet-filter name outside-in inbound
ipsec apply policy CustomerVPN
#
vlan 429
name TEST
description Customer TEST
#
ip vpn-instance TEST
route-distinguisher 65000:429
description Customer TEST
#
interface Vlan-interface429
description Customer TEST
ip binding vpn-instance TEST
ip address XXX.XXX.XXX.2 255.255.255.0
#
ip route-static 0.0.0.0 0 1.1.1.177
ip route-static vpn-instance TEST YYY.YYY.YYY.0 24 1.1.1.177 public
#
acl advanced name acl-TEST
description IPsec to Office
rule 0 permit ip vpn-instance TEST source XXX.XXX.XXX.0 0.0.0.255 destination YYY.YYY.YYY.0 0.0.0.255
#
ike keychain key-TEST
pre-shared-key address 2.2.2.145 255.255.255.255 key cipher -snip-
pre-shared-key address 3.3.3.4 255.255.255.255 key cipher -snip-
#
ike profile ike-TEST
keychain key-TEST
dpd interval 10 retry 5 periodic
match remote identity address 2.2.2.145 255.255.255.255
match remote identity address 3.3.3.4 255.255.255.255
proposal 30
inside-vpn vpn-instance TEST
#
ipsec policy CustomerVPN 429 isakmp
transform-set trans-aes-cbc-256-sha256-dh14
security acl name acl-TEST
local-address 1.1.1.178
remote-address 2.2.2.145 primary
remote-address 3.3.3.4
ike-profile ike-TEST
sa trigger-mode auto
sa duration time-based 3600
sa idle-time 60
remote-address switch-back enable
#
The checkpoint is setup to do HA on the two WAN interfaces and use the source IP of the current active interface for VPN, I'll provide pictures if necessary.
Anyone knows if this is at all possible on an MSR? HPE is not being very helpful.
TIA
No comments:
Post a Comment