No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The solution that the second phase of IPSEC fail to negotiate of when interconnect USG2130 and yishang ES800.

Publication Date:  2012-09-21 Views:  135 Downloads:  0
Issue Description
PC----USG2130--Internet--ES800---PC

The user networking as the photo shows. The fault symptom is that USG2130 can’t interconnect to the ES800 both in main mode and aggressive mode, and can’t pass the second phase negotiation.

dis ike sa                                                            
    connection-id  peer            flag        phase   doi                    
  ----------------------------------------------------------                  
       31                 NONE          2     IPSEC                   
       30          1.1.1.2         RD|ST         1     IPSEC      
Alarm Information
none
Handling Process
Firstly, checking the ipsec proposal have no difference between two ports, so that is no problem.
Secondly, checking whether the ACL is matched by display acl. Find the ACL is not matched .
Inspection by the dubug information:
*0.89881316 USG2130BSR IKE/8/DEBUG:Get IPsec policy: get IPsec policy failed     
*0.89881400 USG2130BSR IKE/8/DEBUG:validate_prop: no IPsec policy found          
*0.89881483 USG2130BSR IKE/8/DEBUG:dropped message from 1.1.1.2 due to notification
type INVALID_ID_INFORMATION

Then check that the local end ACL is correct.
And find that ACL configuration of peer end has N ACL policy. So it can not match ours. Then modify the ACL as the same with ours, and the problem solved.
Root Cause
 We have sa in he first phase, but the peer of sa is unnamed in the second phase. So the ipsec sa fails to negotiate. Need inspect some configuration related to ipsec, as the ipsec proposal and acl configuration.
Suggestions
Suggest that interconnect with other enterprise, expcet checking the IKE IPSEC configuration, we need to check whether the ACL is matched. If want more judgement,need inspect the debug information.

END