The firewall can stimulate to establish the IPSec VPN tunnel, but the user cannot stimulate to establish the tunnel.

Publication Date:  2012-10-19 Views:  368 Downloads:  0
Issue Description  /25 |------USG2130--- ---Internet------USG5320-------| /24
   Usg2130 firewall intranet IP is, public IP is; USG5320 intranet has a host have normal connected. USG2130 network basic configuration correctly, routing is normal, the intranet port add to trust zone, the extranet interface add to untrust zone, packet filtering all opened by default, the center USG5320 configuration completely correct. After configure branch the IPSec, equipment uses IP can ping passably to center host, check IKE and two stage success, VPN tunnel success. But the user cannot stimulate to set up tunnel.

USG2130 main configuration (packet filtering all allowed by default):
firewall mode route
set runmode firewall
【IPSec configuration】
ike local-name icg2000
ike proposal 10
ike peer d
exchange-mode aggressive
pre-shared-key huawei
ike-proposal 10
local-id-type name
remote-name usg5320
nat traversal
ipsec proposal tran1
ipsec policy map1 10 isakmp             
security acl 3001
ike-peer d
proposal tran1
【interface IP configuration and policy application】
vlan 1
interface Vlanif1
ip address
undo ip fast-forwarding qff               
interface Ethernet0/0/0
ip address
ipsec policy map1
acl number 3000
rule 0 deny ip source destination
rule 1 permit ip source
【Security ACL】
acl number 3001
rule 1 permit ip source destination
【port add to the zone】                                     
firewall zone trust
set priority 85
add interface Vlanif1
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
【domain packer-filter and NAT configuration】
firewall interzone trust untrust
packet-filter 3000 outbound
nat outbound 3000 Ethernet0/0/0     
【route configuration】
ip route-static
【based on source LAN to destination can ping passbaly】
<USG2130>ping -a
  PING 56  data bytes, press CTRL+C to break
    Reply from bytes=56 Sequence=1 ttl=255 time=1 ms
    Reply from bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from bytes=56 Sequence=5 ttl=255 time=1 ms
【IKE the status success】
[USG2130]dis ike  sa
 connect number  peer end address  sign      stage  explanations domain
        6  RD|ST         1     IPSEC
        7  RD|ST         2     IPSEC

Alarm Information
Handling Process
1, doubt internal network connection has a problem. But from the firewall can ping pass live host, eliminating this problem.
2, port fast-forwarding or IKE version problem. Through the configuration to check, vlanif1 port fast-forwarding has been closed, confirm this version does not support IKE version 2.
3, packet filtering problem

firewall interzone trust untrust
packet-filter 3000 outbound
nat outbound 3000 Ethernet0/0/0

acl number 3000
rule 0 deny ip source destination
rule 1 permit ip source
   From here we can see that in the firewall with ping - a is from local to untrust, these two zones are all open by default, so can produce interested flow, thereby normal establish VPN tunnel. Because the domain packet filter between trust to untrust refused to VPN interested flow, caused tunnel cannot be established.
After delete this domain packet filtering rule, problem solved, and recommend that users create another packet filtering rule.
Root Cause
1、the network connection problem
2、configuration problem
When configure IPSec VPN, don't use the ACL of NAT to domain packet filtering. Typical forms are as follows
Firewall interzone trust untrust
Packet - filter 3000 outbound
NAT outbound 3000 Ethernet0/0/0 # packet filtering and NAT ACL is same, causing the IPSec VPN problem