The USG Fails to Initiate IPSec Tunnel Negotiation Because the USG3000 Does Not Support IKEv2

Publication Date:  2015-07-03 Views:  412 Downloads:  0
Issue Description
Network Topology:

As shown in Figure 4-13, IPSec VPN is configured between the USG and USG3000. IKE is used to negotiate IPSec tunnels for encrypting the transmitted data.

Figure 4-13 Networking diagram if the USG fails to initiate IPSec tunnel negotiation because the USG3000 does not support IKEv2




Symptom:

The USG3000 can initiate IKE negotiation and establish IPSec tunnels. The services are normal. The USG can initiate IKE negotiation but cannot establish IPSec tunnels. The services are interrupted.
Handling Process
1. When the USG uses a policy template to negotiate IPSec tunnels, the USG cannot initiate IKE negotiation. However, in this case, the USG can initiate IKE negotiation. This proves that the USG does not use any policy template to negotiate IPSec tunnels.

2. The USG supports both IKEv1 and IKEv2 for tunnel negotiation. When the USG proactively initiates IKE negotiation, it uses IKEv2 by default. However, the USG3000 does not support IKEv2. Therefore, the negotiation fails. The USG3000 supports IKEv1 only. When the USG3000 proactively initiates IKE negotiation, the USG can use IKEv1 to respond to the negotiation. Therefore, the negotiation succeeds.

Root Cause
When the USG3000 proactively initiates IKE negotiation, IKEv1 is used. The USG can use IKEv1 to respond to the negotiation. Therefore, they can establish an IPSec tunnel. However, when the USG proactively initiates IKE negotiation, the USG uses IKEv2 by default. However, the USG3000 cannot respond to the negotiation because it does not support IKEv2. Therefore, the USG and USG3000 fail to establish any IPSec tunnel.
Solution
1. In the system view of the USG, run the ike peerpeer_name command to access the IKE peer view. peer_name is the name of the peer referenced in the policy.

2. In the IKE peer view of the USG, run the undo version 2 command to enable the USG to initiate IKE negotiation using IKEv1.

END