No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

There is a problem to establish IPSec tunnel in the example in VRP3.4 Operation Manual (V3.46a).

Publication Date:  2012-07-27 Views:  50 Downloads:  0
Issue Description
VRP3.4 Operation Manual (V3.46a): 09-Security Operation 9.4.5. IPSec/IKE Multi-instance Configuration Example. In this example there is some mistake. We cannot ping the address 32.32.32.2 or network 21.21.21.0 on CE1 router from CE2 router with the source addresses of 33.33.33.3 or 51.51.51.1. After ping the IPSec tunnel between CE2 and PE2 is established, but not between CE1 and PE1. But next if we ping from CE1 router with the source addresses of 32.32.32.2 or 21.21.21.2 the address 33.33.33.3 or network 51.51.51.0 the IPSec tunnel is established and these addresses are available. Besides there is a mistake in ACL configuration on PE routers. We have to use VPN-instance during ACL configuration.
So the question is: where is the mistake in this configuration?
Alarm Information
Null
Handling Process
I have checked the newest software version. Everything works properly. Below you can find the improved configuration of ACL on PE routers.
acl number 3000
 rule 0 permit ip vpn-instance vrf source 51.51.51.0 0.0.0.255 destination 21.21
.21.0 0.0.0.255
 rule 1 permit ip vpn-instance vrf source 33.33.33.3 0 destination 32.32.32.2 0
I suggest to use this software version or later when you configure IPSec MPLS.
Root Cause
Confirmed that it's a software bug and you can get the new version in January 2007.
(On 12/31/2006 17:28:39, Level 3 solution:)
The version VRP3.4-0109P21 has been released.
Technical Support Department examines the opinion:The version VRP3.4-0109P21 has been released.
Suggestions

Null

END