easy-IP NAT caused IKE negotiation faile

Publication Date:  2016-04-28 Views:  668 Downloads:  0
Issue Description

Product: USG6300  version:V100R001C30SPC100

Customer reported that the IPSEC tunnel can not be established, and it stopped in IKE phase as following which repeately negotiating with remote .

2021484    80.xx.xx.xxx                            NEG|A         v2:2  public
2021483    80.xx.xx.xxx                            NEG|A         v2:1  public

Handling Process

1.Checked the configuration of ipsec and found that the configuraiton should be OK.

ike proposal 3
encryption-algorithm aes-256 aes-192 aes-128 3des
authentication-algorithm sha2-256 sha1
integrity-algorithm aes-xcbc-96 hmac-sha2-512 hmac-sha2-256 hmac-sha1-96
sa duration 28800

ike peer ikexxxx
exchange-mode auto
pre-shared-key %$%$'L1v5}u"c#pubZDa*d1QEJA8%$%$
ike-proposal 3
remote-id-type none
remote-address 80.xx.xx.xxx

ipsec proposal propxxxx
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256  aes-128  3des

ipsec policy ipsecxxxx 2 isakmp
security acl 3011
ike-peer ikexxxx 
proposal propxxxx
local-address applied-interface
sa duration traffic-based 12800
sa duration time-based 28800

interface GigabitEthernet1/0/3
alias diba
ip address xxx.xxx.xx.xxx 255.255.255.248 
ipsec policy ipsecxxxx auto-neg

 

2.Check the debugging ike informaiton and found it repeatly doing ike negotiation.From output of  "display ike sa" we can also see this.

2021484    80.xx.xx.xxx      NEG|A         v2:2  public 
2021483    80.xx.xx.xxx      NEG|A         v2:1  public

3.Tried to capture packets under the outer interface GigabitEthernet1/0/3 and found the source port of ike has been transferred to another one 2049.



4. And the port 2049 is the second port which for NAT , So I doubt the issue was casued by NAT, that the public IP address be NAT by it self and I confirmed it via the firewall session as below.

 

5. Then checked the NAT configuraiton, and found that customer didn't configure source for NAT, and the public ip address itself also be transferred via NAT.


nat-policy
rule name NAT
  destination-zone VDSL
  action nat easy-ip 

6. Ask customer to added source for NAT and reset the session. Then found that the IKE negotiation is OK.

nat-policy
rule name NAT
  source-zone xxx
  destination-zone VDSL
  action nat easy-ip

Root Cause
The root casue is that: the source IP match NAT and be transferred to the IP itself but with another source port,  And ike negotiation required UDP port 500 for negotation , which caused the failure.
Suggestions

We need to know that for easy-ip nat, if we don't define source, the easy-ip interface itself will be translated by NAT also.

END