View
77
Download
0
Category
Preview:
DESCRIPTION
Step by step IPSec VPN install and configuration for the Huawei Secoway SVN2260 Gateway and GreenBow VPN client. For more VPN configuration guides, tutorial and howto, go to http://www.thegreenbow.com/vpn_gateway.html
Citation preview
TheGreenBow VPN
& SVN2260
VPN WebSite: Contact: http://www.thegreenbow.com support@thegreenbow.com
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
1/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
1 .............................................................................................................................................................. 3 1.1 1.2 1.3 1.4 2 3 ............................................................................................................................................ 3 VPN .......................................................................................................................................... 3 Secoway SVN2260 VPN ........................................................................ 3 Secoway SVN2260 VPN ...................................................... 3
Secoway SVN2260 VPN VPN .............................................................. 4 VPN ....................................................................................................................................... 6 3.1 3.2 3.3 VPN IKE ................................................................................... 6 VPN IPSec .............................................................................. 8 IPSec VPN .................................................................................................................... 8
4
............................................................................................................................................10 4.1 Wireshark........................................................................................ 10
5
IPSec VPN ..............................................................................................................................11 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 ( 1 ) ................................................................................... 11 COOKIE ............................................................................................................... 11 no keystate .................................................................................................................... 11 ID .................................................................................... 11 no proposal chosen .................................................................................................... 12 ID ............................................................................................................. 12 , .......................................................................... 12 VPN Ping ............................................................................. 12
6
....................................................................................................................................................14
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
2/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
1 1.1 TheGreenBow VPN Secoway SVN2260 VPN VPN
1.2 VPN VPN IPSec VPN Secoway SVN2260 VPN VPN VPN DSL IP IPSec VPN LAN 192.168.1.1192.168.0.1
IPSec VPN 192 168 1 2
Internet SVN2260 192.168.0.3
192.168.0.78
1.3 Secoway SVN2260 VPN Secoway SVN2260 VPN V200R001C00SPC200
1.4 Secoway SVN2260 VPN Secoway SVN2260 VPN Secoway SVN2260 VPN www.huawei.com/cn/products/security-storage/security-product/svn/svn3000/index.htmIPSec VPN Property of TheGreenBow Sistech SA - Sistech 2001-2012 3/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
2 Secoway SVN2260 VPNVPN Secoway SVN2260 VPN VPN 1) SVN2260 "VPN", "IPsec" "IKE Negotiation", phase1
2) phase 1 , "Main Mode" Negotiation Mode, Pre-Shared Key, NAT Traversal
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
4/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
3) phase 2, Tunnel Mode Encapsulation Mode, DH-Group2 PFS
4) IPsec Policy , IPsec Rule
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
5/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
3 VPN VPN Secoway SVN2260 VPN VPN TheGreenBow IPSec VPN http://www.thegreenbow.com/vpn_down.html
3.1 VPNIKE
VPN IP DNS
123456
1
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
6/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
1
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
7/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
3.2 VPN IPSec
IP
LAN IP
2
3.3 IPSec VPN Secoway SVN2260 VPN IPSec VPN VPN IPSec 1 VPN 2 IPSec VPN 3 VPN 4 IPSec VPN IPSec VPN IPSec VPN Secoway SVN2260 VPN IPSec VPN
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
8/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
9/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
4 IPSec VPN VPN VPN
4.1 WiresharkWiresharkIPTCP http://www.wireshark.org (http://www.wireshark.org/docs/)
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
10/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
5 IPSec VPN5.1 ( 1 )114920 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 114920 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [NOTIFY] 114920 Default exchange_run: exchange_validate failed 114920 Default dropped message from 195.100.205.114 port 500 due PAYLOAD_MALFORMED 114920 Default SEND Informational [NOTIFY] with PAYLOAD_MALFORMED error
to
notification
type
[SA] VPN
5.2 COOKIE 115933 Default message_recv: invalid cookie(s) 5918ca0c2634288f 7364e3e486e49105 115933 Default dropped message from 195.100.205.114 port 500 due to notification type INVALID_COOKIE 115933 Default SEND Informational [NOTIFY] with INVALID_COOKIE error
COOKIE VPN SA VPN
5.3 no keystate 115315 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 115317 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID] 115317 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE] 115319 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE] 115319 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 115319 Default ipsec_get_keystate: no keystate in ISAKMP SA 00B57C50
ID VPN
5.4 ID 120348 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 120349 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID] 120349 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE] 120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE] 120351 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 120351 Default ike_phase_1_recv_ID: received remote ID other than expected support@thegreenbow.fr
ID
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
11/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
5.5 no proposal chosen 115911 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 115913 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID] 115913 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE] 115915 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE] 115915 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 115915 Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE] 115915 Default RECV Informational [HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error 115915 Default RECV Informational [HASH][DEL] 115915 Default CNXVPN1-P1 deleted
no proposal chosen 2 1 115911 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 115911 Default RECV Informational [NOTIFY] with NO_PROPOSAL_CHOSEN error
5.6 ID 122623 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 122625 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID] 122625 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE] 122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE] 122626 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY] 122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY] 122626 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 122626 Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE] 122626 Default RECV Informational [HASH][NOTIFY] with INVALID_ID_INFORMATION error 122626 Default RECV Informational [HASH][DEL] 122626 Default CNXVPN1-P1 deleted
ID 2 ID ( IP ) ID
5.7 , VPN IKE IPSec UDP 500 ESP
5.8 VPNPing VPN ping 2 VPN LAN VPN IP VPN ESP ESP VPN ESP IPSec VPN Property of TheGreenBow Sistech SA - Sistech 2001-2012 12/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
VPN VPN ISP ESP ping VPN LAN ping VPN LAN LAN
Ethereal
ping Wireshark (http://www.wireshark.org) LAN LAN IP
ping
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
13/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
6 TheGreenBow http://www.thegreenbow.com/zh/ support@thegreenbow.com sales@thegreenbow.com
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
14/14
Recommended