The NE40E functions as the headquarters gateway. IPSec is configured in template mode. The USG6330 functions as a branch gateway. The USG6330 fails to establish an IPSec over GRE tunnel with the NE40E, but the gateway firewalls at other branches can establish IPSec over GRE tunnels with the NE40E.
Step 1 Check whether IPSec parameters on both ends are consistent.
Default parameters on the headquarters NE40E cannot be displayed. Therefore, you need to compare the IPSec parameters of other branches. The comparison result indicates that:
The IKE proposal of a reachable branch is as follows:
ike proposal 10
encryption-algorithm aes-cbc 256
The IKE proposal of an unreachable USG6330 is as follows:
ike proposal 10
encryption-algorithm aes-cbc 128
The encryption algorithms in the IKE proposals are different. Then change the encryption algorithm of the IKE proposal on the USG6330 to encryption-algorithm aes-cbc 256.
Step 2 After the encryption algorithm is changed, the problem persists. The comparison finds all the other parameters consistent. Therefore, display the session table or enable debugging for further diagnosis.
<USG6300>display firewall session table verbose destination-port 500
Current Total Sessions : 1
udp VPN:public --> public ID: a48f3fd220f307ccb5540f049
Zone: local--> untrust TTL: 00:02:00 Left: 00:01:47
Output-interface: GigabitEthernet1/0/0 NextHop: 10.254.218.181 MAC: e4-68-a3-53-8d-e0
<--packets:171 bytes:28856 -->packets:171 bytes:41696
The session table indicates that when the USG6330 attempts to establish an IPSec tunnel, port 500 is translated to port 2050. Because of this, the IPSec tunnel cannot be establsihed. Check the USG6330 configurations. An unnecessary NAT policy is found. Actually, the customer does not need to access the Internet, and the NAT policy is unnecessary. After this NAT policy is deleted, the IPSec over GRE tunnel can be established.
rule name GuideNat1429872189263
action nat easy-ip
A NAT policy is configured on the USG6330. Therefore, the source port of the IPSec tunnel is translated to another port.
If the NAT policy is not required, delete it to resolve the problem.
If the intranet needs to access the Internet and a NAT policy is mandatory, you are advised to specify the zone and source address when configuring the NAT policy.
Apart from IPSec parameter inconsistency, the NAT or routing policy is also a common cause of IPSec tunnel failure. After verifying IPSec parameters, you can display the session table or enable debugging to further diagnose the fault.