No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

IKE source address error causes IPSec VPN set up failure

Publication Date:  2012-11-27 Views:  40 Downloads:  0
Issue Description
USG5300------+
                   |----------------------------Internet Gateway----------------------------FW
USG5300------+    192.168.1.0/24
As shown above, USG5300 uses A/S mode for hot backup, enables VRRP on the interface which connected to the Internet Gateway and configures default route, whose next hop is Internet Gateway. Internet Gateway hasn’t configured NAT, USG5300 as NAT Gateway establishes IPSec VPN. The related configuration of IPSec VPN is as follows:
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
sa duration 28800
#
ike peer dubai
pre-shared-key *
remote-address a.b.c.d
#
ipsec proposal dubai
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy dubai 10 isakmp
security acl acl-number
ike-peer dubai
proposal dubai
Check the IKE SA, it is empty.
Alarm Information
None.
Handling Process
If want to set the IKE source address to public network address e.f.g.h, we need to add a command:
ike peer dubai
local-address e.f.g.h
Root Cause
Open the debug, can see the following error information:
*1.3373932854 USG5300-2 IPSEC/8/DBG:IPSec input drop packet! ACL is NULL.
*1.3373933287 USG5300-2 IPSEC/8/DBG:IPSec output drop packet! A policy's ACL is NULL.
Usually the above error information is caused by the security acl mismatched, checks on both sides configuration, hasn’t found configuration error, analysis from the perspective of topological. USG5300 as NAT network gateway, it can’t advertise the private network 192.168.1.0/24 to the public network. But the peer end firewall IKE remote-address configured is public network address e.f.g.h of NAT. Check the debug information again. Find the IKE source address of USG5300 is the virtual address 192.168.1.3 of VRRP, IKE source address error.
Suggestions
None.

END