The firewall can stimulate to establish the IPSec VPN tunnel, but the user cannot stimulate to establish the tunnel.

Publication Date:  2012-10-19 Views:  340 Downloads:  0
Issue Description
192.168.179.128  /25 |------USG2130--- ---Internet------USG5320-------|192.168.148.0 /24
   Usg2130 firewall intranet IP is 192.168.179.130, public IP is 3.3.3.2; USG5320 intranet has a host 192.168.148.2 have normal connected. USG2130 network basic configuration correctly, routing is normal, the intranet port add to trust zone, the extranet interface add to untrust zone, packet filtering all opened by default, the center USG5320 configuration completely correct. After configure branch the IPSec, equipment uses IP 192.168.179.130 can ping passably to center host 192.168.148.2, check IKE and two stage success, VPN tunnel success. But the user cannot stimulate to set up tunnel.

USG2130 main configuration (packet filtering all allowed by default):
           
#
firewall mode route
#
set runmode firewall
#
【IPSec configuration】
ike local-name icg2000
#
ike proposal 10
#
ike peer d
exchange-mode aggressive
pre-shared-key huawei
ike-proposal 10
local-id-type name
remote-name usg5320
remote-address 2.2.2.2
nat traversal
#
ipsec proposal tran1
#
ipsec policy map1 10 isakmp             
security acl 3001
ike-peer d
proposal tran1
【interface IP configuration and policy application】
#
vlan 1
#
interface Vlanif1
ip address 192.168.179.130 255.255.255.192
undo ip fast-forwarding qff               
#
interface Ethernet0/0/0
ip address 3.3.3.2 255.255.255.0
ipsec policy map1
#
【NAT ACL】
acl number 3000
rule 0 deny ip source 192.168.179.128 0.0.0.127 destination 192.168.148.0 0.0.0.255
rule 1 permit ip source 192.168.179.0 0.0.0.255
【Security ACL】
acl number 3001
rule 1 permit ip source 192.168.179.128 0.0.0.127 destination 192.168.148.0 0.0.0.255
#
【port add to the zone】                                     
firewall zone trust
set priority 85
add interface Vlanif1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
#
【domain packer-filter and NAT configuration】
firewall interzone trust untrust
packet-filter 3000 outbound
nat outbound 3000 Ethernet0/0/0     
#
【route configuration】
ip route-static 0.0.0.0 0.0.0.0 3.3.3.1
【based on source LAN to destination can ping passbaly】
<USG2130>ping -a 192.168.179.130 192.168.148.2
  PING 192.168.0.32: 56  data bytes, press CTRL+C to break
    Reply from 192.168.148.2: bytes=56 Sequence=1 ttl=255 time=1 ms
    Reply from 192.168.148.2: bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from 192.168.148.2: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 192.168.148.2: bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from 192.168.148.2: bytes=56 Sequence=5 ttl=255 time=1 ms
【IKE the status success】
[USG2130]dis ike  sa
 connect number  peer end address  sign      stage  explanations domain
  ------------------------------------------------------------
        6          222.240.248.210:4500  RD|ST         1     IPSEC
        7          222.240.248.210:4500  RD|ST         2     IPSEC

Alarm Information
none
Handling Process
1, doubt internal network connection has a problem. But from the firewall can ping pass live host, eliminating this problem.
2, port fast-forwarding or IKE version problem. Through the configuration to check, vlanif1 port fast-forwarding has been closed, confirm this version does not support IKE version 2.
3, packet filtering problem

firewall interzone trust untrust
packet-filter 3000 outbound
nat outbound 3000 Ethernet0/0/0

acl number 3000
rule 0 deny ip source 192.168.179.128 0.0.0.127 destination 192.168.148.0 0.0.0.255
rule 1 permit ip source 192.168.179.0 0.0.0.255
   From here we can see that in the firewall with ping - a 192.168.179.130 192.168.148.2 is from local to untrust, these two zones are all open by default, so can produce interested flow, thereby normal establish VPN tunnel. Because the domain packet filter between trust to untrust refused 192.168.179.128/25 to 192.168.148.0/24 VPN interested flow, caused tunnel cannot be established.
After delete this domain packet filtering rule, problem solved, and recommend that users create another packet filtering rule.
Root Cause
1、the network connection problem
2、configuration problem
Suggestions
When configure IPSec VPN, don't use the ACL of NAT to domain packet filtering. Typical forms are as follows
Firewall interzone trust untrust
Packet - filter 3000 outbound
NAT outbound 3000 Ethernet0/0/0 # packet filtering and NAT ACL is same, causing the IPSec VPN problem

END