No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

There is only one IP can be ping when Eudemon and C-factory VPN device interconnecting IPSec VPN

Publication Date:  2012-11-27 Views:  3 Downloads:  0
Issue Description
Eudemon200 version:eu200-vrp3.30-0336.02(12)。
Topology:PC1--L2Switch-E200---Internet---C peer vendor VPN device---Intranet---PC2/PC3。
Eudemon200 parts of configuration:
acl number 3020
rule 5 permit ip source 10.196.226.7 0 destination 172.31.16.200 0
rule 10 permit ip source 10.196.226.7 0 destination 172.31.14.2 0
#
ipsec policy huawei 20 isakmp
security acl 3020
pfs dh-group2
ike-peer ufone                          
proposal sha
sa duration time-based 3600
#

After IPSec VPN established, PC1 can ping the PC2, but can not ping PC3, the IKE PHASE1 establish successful, the IKE PHASE2 of PC1-PC2 and the IPSec SA is successfully established, the IKE PHASE2 of PC1-PC3 and the IPSec SA established establishment failure.
Alarm Information
NULL
Handling Process
1. Check PC3 tracert PC1, it does tracert to the C-factory VPN device.
2. Check the C-factory VPN device list of local addresses configuration, PC3 IP is indeed configured.
3. Security ACL split into multiple ACL on E200, each ACL configured a rule, and then use the multi-striped strategy, the specific part of the configuration is as follows:
acl number 3020
rule 5 permit ip source 10.196.226.7 0 destination 172.31.16.200 0
acl number 3021
rule 5 permit ip source 10.196.226.7 0 destination 172.31.14.2 0
#
ipsec policy huawei 20 isakmp
security acl 3020
pfs dh-group2
ike-peer ufone                          
proposal sha
sa duration time-based 3600
#
ipsec policy huawei 21 isakmp
security acl 3021
pfs dh-group2
ike-peer ufone
proposal sha
sa duration time-based 3600
#

After configuration adjustments, PC1 can ping the PC2 and PC3.
Root Cause
1. Peer PC3 cannot properly route to the C-factory VPN devices.
2. Peer C-factory VPN devices did not add the PC3's IP address to its list of local addresses.
3. Huawei Eudemon200 and C manufacturers VPN devices ACL different processing mechanisms:

Because one E200 ACL rule correspond one IPSec tunnel and a pair of the sa, though access-list of peer vendor can configure many rules, but one ACL rule correspond one IPSec tunnel and a pair of the sa, this will lead only the data stream corresponding to the rule of initiated consultations can pass turough, other rules’ data stream cannot pass through when ACL configuring many rules, when it encountered such a situation, security ACL need to be split into multiple ACL, each ACL configured a rule, multiple subpaths strategy.
Suggestions
Encounter interconnecting with peer vendors' equipment, we need to learn more about the different points of processing mechanism between our equipment and peer vendor equipment, so that some of the problems can be solved.

END