Step by step IPSec VPN install and configuration for the Huawei Secoway SVN2260 Gateway and GreenBow VPN client. For more VPN configuration guides, tutorial and howto, go to http://www.thegreenbow.com/vpn_gateway.html
TheGreenBow VPN
& SVN2260
VPN WebSite: Contact: http://www.thegreenbow.com
[email protected]
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
1/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
1
..............................................................................................................................................................
3 1.1 1.2 1.3 1.4 2 3
............................................................................................................................................
3 VPN
..........................................................................................................................................
3 Secoway SVN2260 VPN
........................................................................
3 Secoway SVN2260 VPN
...................................................... 3
Secoway SVN2260 VPN VPN
.............................................................. 4
VPN
.......................................................................................................................................
6 3.1 3.2 3.3 VPN IKE
...................................................................................
6 VPN IPSec
..............................................................................
8 IPSec VPN
....................................................................................................................
8
4
............................................................................................................................................10
4.1
Wireshark........................................................................................
10
5
IPSec VPN
..............................................................................................................................11
5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 ( 1 )
...................................................................................
11 COOKIE
...............................................................................................................
11 no keystate
....................................................................................................................
11 ID
....................................................................................
11 no proposal chosen
....................................................................................................
12 ID
.............................................................................................................
12 ,
..........................................................................
12 VPN Ping
.............................................................................
12
6
....................................................................................................................................................14
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
2/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
1 1.1 TheGreenBow VPN Secoway SVN2260 VPN VPN
1.2 VPN VPN IPSec VPN Secoway SVN2260 VPN VPN VPN DSL IP IPSec
VPN LAN 192.168.1.1192.168.0.1
IPSec VPN 192 168 1 2
Internet SVN2260 192.168.0.3
192.168.0.78
1.3 Secoway SVN2260 VPN Secoway SVN2260 VPN
V200R001C00SPC200
1.4 Secoway SVN2260 VPN Secoway SVN2260 VPN Secoway SVN2260 VPN
www.huawei.com/cn/products/security-storage/security-product/svn/svn3000/index.htmIPSec
VPN Property of TheGreenBow Sistech SA - Sistech 2001-2012 3/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
2 Secoway SVN2260 VPNVPN Secoway SVN2260 VPN VPN 1) SVN2260
"VPN", "IPsec" "IKE Negotiation", phase1
2) phase 1 , "Main Mode" Negotiation Mode, Pre-Shared Key, NAT
Traversal
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
4/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
3) phase 2, Tunnel Mode Encapsulation Mode, DH-Group2 PFS
4) IPsec Policy , IPsec Rule
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
5/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
3 VPN VPN Secoway SVN2260 VPN VPN TheGreenBow IPSec VPN
http://www.thegreenbow.com/vpn_down.html
3.1 VPNIKE
VPN IP DNS
123456
1
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
6/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
1
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
7/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
3.2 VPN IPSec
IP
LAN IP
2
3.3 IPSec VPN Secoway SVN2260 VPN IPSec VPN VPN IPSec 1 VPN 2
IPSec VPN 3 VPN 4 IPSec VPN IPSec VPN IPSec VPN Secoway SVN2260 VPN
IPSec VPN
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
8/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
9/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
4 IPSec VPN VPN VPN
4.1 WiresharkWiresharkIPTCP http://www.wireshark.org
(http://www.wireshark.org/docs/)
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
10/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
5 IPSec VPN5.1 ( 1 )114920 Default (SA CNXVPN1-P1) SEND phase 1
Main Mode [SA][VID] 114920 Default (SA CNXVPN1-P1) RECV phase 1
Main Mode [NOTIFY] 114920 Default exchange_run: exchange_validate
failed 114920 Default dropped message from 195.100.205.114 port 500
due PAYLOAD_MALFORMED 114920 Default SEND Informational [NOTIFY]
with PAYLOAD_MALFORMED error
to
notification
type
[SA] VPN
5.2 COOKIE 115933 Default message_recv: invalid cookie(s)
5918ca0c2634288f 7364e3e486e49105 115933 Default dropped message
from 195.100.205.114 port 500 due to notification type
INVALID_COOKIE 115933 Default SEND Informational [NOTIFY] with
INVALID_COOKIE error
COOKIE VPN SA VPN
5.3 no keystate 115315 Default (SA CNXVPN1-P1) SEND phase 1 Main
Mode [SA][VID] 115317 Default (SA CNXVPN1-P1) RECV phase 1 Main
Mode [SA][VID] 115317 Default (SA CNXVPN1-P1) SEND phase 1 Main
Mode [KEY][NONCE] 115319 Default (SA CNXVPN1-P1) RECV phase 1 Main
Mode [KEY][NONCE] 115319 Default (SA CNXVPN1-P1) SEND phase 1 Main
Mode [ID][HASH][NOTIFY] 115319 Default ipsec_get_keystate: no
keystate in ISAKMP SA 00B57C50
ID VPN
5.4 ID 120348 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode
[SA][VID] 120349 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode
[SA][VID] 120349 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode
[KEY][NONCE] 120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode
[KEY][NONCE] 120351 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode
[ID][HASH][NOTIFY] 120351 Default (SA CNXVPN1-P1) RECV phase 1 Main
Mode [ID][HASH][NOTIFY] 120351 Default ike_phase_1_recv_ID:
received remote ID other than expected [email protected]
ID
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
11/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
5.5 no proposal chosen 115911 Default (SA CNXVPN1-P1) SEND phase
1 Main Mode [SA][VID] 115913 Default (SA CNXVPN1-P1) RECV phase 1
Main Mode [SA][VID] 115913 Default (SA CNXVPN1-P1) SEND phase 1
Main Mode [KEY][NONCE] 115915 Default (SA CNXVPN1-P1) RECV phase 1
Main Mode [KEY][NONCE] 115915 Default (SA CNXVPN1-P1) SEND phase 1
Main Mode [ID][HASH][NOTIFY] 115915 Default (SA CNXVPN1-P1) RECV
phase 1 Main Mode [ID][HASH][NOTIFY] 115915 Default phase 1 done:
initiator id c364cd70: 195.100.205.112, responder id c364cd72:
195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114 115915
Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode
[SA][KEY][ID][HASH][NONCE] 115915 Default RECV Informational
[HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error 115915 Default RECV
Informational [HASH][DEL] 115915 Default CNXVPN1-P1 deleted
no proposal chosen 2 1 115911 Default (SA CNXVPN1-P1) SEND phase
1 Main Mode [SA][VID] 115911 Default RECV Informational [NOTIFY]
with NO_PROPOSAL_CHOSEN error
5.6 ID 122623 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode
[SA][VID] 122625 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode
[SA][VID] 122625 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode
[KEY][NONCE] 122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode
[KEY][NONCE] 122626 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode
[ID][HASH][NOTIFY] 122626 Default (SA CNXVPN1-P1) RECV phase 1 Main
Mode [ID][HASH][NOTIFY] 122626 Default phase 1 done: initiator id
c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114,
src: 195.100.205.112 dst: 195.100.205.114 122626 Default (SA
CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode
[SA][KEY][ID][HASH][NONCE] 122626 Default RECV Informational
[HASH][NOTIFY] with INVALID_ID_INFORMATION error 122626 Default
RECV Informational [HASH][DEL] 122626 Default CNXVPN1-P1
deleted
ID 2 ID ( IP ) ID
5.7 , VPN IKE IPSec UDP 500 ESP
5.8 VPNPing VPN ping 2 VPN LAN VPN IP VPN ESP ESP VPN ESP IPSec
VPN Property of TheGreenBow Sistech SA - Sistech 2001-2012
12/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
VPN VPN ISP ESP ping VPN LAN ping VPN LAN LAN
Ethereal
ping Wireshark (http://www.wireshark.org) LAN LAN IP
ping
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
13/14
Doc.Ref Doc.version VPN version
tgbvpn_cg-huawei-secoway-svn2260-zh 1.0 Mar 2012 5.13.002
6 TheGreenBow http://www.thegreenbow.com/zh/
[email protected] [email protected]
IPSec VPN
Property of TheGreenBow Sistech SA - Sistech 2001-2012
14/14
