A customer uses USG2110-F as client do IPSEC butt with the headquarters USG3030 equipment, uses the point to more IPSEC sub policy way to establish VPN, multiple branches are fixed IP addresses, the links from branch to headquarters IPSEC all can communicate normally.
And the internal network (branch to headquarters) can communicate each other. But the internal network’s PC of the node USG2110-F can’t communicate the headquarters normally.
First empty branch tunnel, through the headquarters ping the internal network of USG2110-F, and found that the configured ACL 3019 didn’t match.
And “disp Ike sa” is blank, did not establish link.
Through another branch USG2110-F equipment communicate with headquarters USG3000, found no matter launched from headquarters, or launched from branches can set up the tunnel and ping pass.
Focus on ACL configuration, headquarters configuration is as follows:
ipsec policy 2 23 isakmp // Normal branches
security acl 3018
ipsec policy 2 24 isakmp //Abnormal branches
security acl 3019
acl number 3018 // Normal branch interested flow acl
rule 10 permit ip source 10.10.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 20 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
rule 100 deny ip
acl number 3019 // Abnormal branch interested flow acl
rule 1 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.145.0 0.0.0.255
rule 10 permit ip source 10.10.0.0 0.0.255.255 destination 192.168.145.0 0.0.0.255
rule 20 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.145.0 0.0.0.255
rule 100 deny ip
The corresponding acl entries of normal branches configured sub strategy include abnormal branch’s acl entries (in fact it is that the acl range configured by the headquarters is too big, contains other acl entries). Cause ACL entry conflict.
Suggesting the customers write the ACL entries into specific detailed network segments can solve the problem.
First of all judge whether the ACL is hit, whether matched the ACL network segment. Estimate ping impassability may relevant with other ACL settings. Because IPSEC tunnel have been built successfully, then the IPSEC configuration should not have problem.