2 Replies Latest reply on Aug 15, 2019 8:31 AM by continuum

    SCP between 4.1 and 6.7

    Eltelnetworks Lurker

      I have an old 4.1 server, and need to move 1 vm to a new server running 6.7 U2

      I have been using scp, and that have worked perfectly for the 5.1 servers i have done. I only have one 4.1 missing.

       

      In a previous post : SCP between 4.1 and 6.7 no matching KexAlgo the solution was:

       

      After running in the same trouble

       

      login with putty on the new 6.x hypervisor

      esxcli network firewall set --enabled false

      deaktivate Firewall (ssh is OUTGOING disabled)

      scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@192.168.x.x:/vmfs/volumes/datastore/nameofthevm/ /vmfs/volumes/datastore/

      (192.168.x.x is the "old" 4.x hypervisor)

      enable firewall

      esxcli network firewall set --enabled true

       

       

      I have tried a bunch of commands, but they all fail due to 4.1 using the old diffie hellman sha1.

       

      Any help would be appreciated.

       

       

      [root@svrdc067v205:~] esxcli network firewall set --enabled false

      [root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

      "diffie-hellman-group1-sha1" is not allowed in FIPS mode

      FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.

      [root@svrdc067v205:~] scp -oCiphers=3des-cbc -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

      Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

      [root@svrdc067v205:~] esxcli system security fips140 ssh set --enable=false

      [root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

      "diffie-hellman-group1-sha1" is not allowed in FIPS mode

      FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.

      [root@svrdc067v205:~] scp -oCiphers=3des-cbc -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

      Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

      [root@svrdc067v205:~] esxcli system security fips140 ssh get

         Enabled: false

      [root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

      "diffie-hellman-group1-sha1" is not allowed in FIPS mode

      FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.

      [root@svrdc067v205:~] esxcli system security fips140 ssh set --enable=true

      [root@svrdc067v205:~] esxcli network firewall set --enabled true

      [root@svrdc067v205:~]

      [root@svrdc067v205:~]

      [root@svrdc067v205:~]

      [root@svrdc067v205:~]

      [root@svrdc067v205:~] esxcli network firewall set --enabled false

      [root@svrdc067v205:~] scp -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

      Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

      [root@svrdc067v205:~] esxcli network firewall set --enabled true

       

      Otherwise I stuck with Datastore browser. 300GB would take quite some time.

        • 1. Re: SCP between 4.1 and 6.7
          Eltelnetworks Lurker

          All esxcli system security fips140 ssh set -e false does is replace the 'FipsMode' line with 'FipsMode no' from /etc/ssh/sshd_config.

           

          However that doesn't actually appear to disable FipsMode within OpenSSH.

           

          It used to work with the original 6.7 release but after applying Update 1 or later it stopped it.

          • 2. Re: SCP between 4.1 and 6.7
            continuum Guru
            User ModeratorsvExpertCommunity Warriors

            Do you have any Linux system that can reach both hosts via network ? - this can be a VM on one of the hosts or a standalone physical machine ...

            When I have to move VMs from host to host and run into problems I use a Linux ...

            mkdir /esxi-in

            mkdir /esxi-out

            sshfs -o ro root@esxi41:/ /esxi-in

            sshfs root@esxi67:/vmfs/volumes/datastore/target-dir /esxi-out

            Then I use ddrescue to copy from /esxi-in to /esxi-out

            That will be slower than using scp from host one to host 2 but it is more reliable and probably way easier to set up.