No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

IPSec typical fault - both ends of the ACL configuration mismatch leads to the second phase of IKE negotiation fails

Publication Date:  2014-06-30 Views:  133 Downloads:  0
Issue Description
Huawei and Juniper firewall configure IPsec. The second phase of IKE negotiation fails.

Huawei firewall Eudemon1000E-U2 version: Eudemon 1000E V100R003C01SPC900
Alarm Information
NA
Handling Process
3.Because of the fails in v1:2, check debug log by opening debugging ike error.
Check the debug log, there is "phase2: security acl mismatch" and "due to notification type INVALID_ID_INFORMATION" information. It means ACL configuration between local and other side was different.

<Eudemon1000E>debugging ike error
<Eudemon1000E>terminal debugging
<Eudemon1000E>terminal monitor
3.2152296062 Eudemon1000E %%01IKE/7/DEBUG(d): match flow fail
2014-04-22 10:34:24 Eudemon1000E %%01IKE/4/IPSECACL(l): phase2: security acl mismatch.
3.2152305828 Eudemon1000E %%01IKE/7/DEBUG(d): match flow fail
3.2152305828 Eudemon1000E %%01IKE/7/DEBUG(d): Get IPsec policy: get IPsec policy failed
3.2152305828 Eudemon1000E %%01IKE/7/DEBUG(d): validate_prop: no IPsec policy found
3.2152305828 Eudemon1000E %%01IKE/7/DEBUG(d): dropped message from 183.129.153.138 due to notification type INVALID_ID_INFORMATION

4.We already know the reason why IKE nagotiation fails in second phase was ACL configuration was different bewteen local and other side by step 3. But we don't know the protect flow in the other side. So how to configure the ACL in Local side?

5.Enable "debugging ike all" to view the process of IKE nagotiation. Find  the "src addr:0x10111200 mask:0xFFFFFF00" and "dst addr:0x0A452400 mask:0xFFFFFF00" , we will know the exact configuration for the source IP of ACL was "16.17.17.0" and mask was"255.255.255.0". Now the IP was "10.69.36.0" mask was "255.255.255.0" from ACL rule: rule 5 permit ip source 16.17.18.0 0.0.0.255 destination 10.69.36.0 0.0.0.255

<Eudemon1000E>debugging ike all
<Eudemon1000E>terminal debugging
<Eudemon1000E>terminal monitor
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): responder recv HASH-SA-NONCE: computed HASH(1):
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): 87ae911c 55c91faa a8883fa8 e2a68d31 5efd4de0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): responder recv HASH-SA-NONCE: IDci:
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): 04000000 0a452400 ffffff00
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): responder recv HASH-SA-NONCE: IDcr:
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): 04000000 10111200 ffffff00
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): proid:0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): src addr:0x10111200 mask:0xFFFFFF00
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): src port:0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): dst addr:0x0A452400 mask:0xFFFFFF00
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): dst port:0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): proid:0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): src addr:0x10111200 mask:0xFFFFFF00
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): src port:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dst addr:0x0A452400 mask:0xFFFFFF00
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dst port:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): proid:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): src addr:0x10111200 mask:0xFFFFFF00
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): src port:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dst addr:0x0A452400 mask:0xFFFFFF00
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dst port:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): proid:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): src addr:0x10111200 mask:0xFFFFFF00
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): src port:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dst addr:0x0A452400 mask:0xFFFFFF00
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dst port:0
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): match flow fail
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): Get IPsec policy: get IPsec policy failed
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): validate_prop: no IPsec policy found
3.2152485978 Eudemon1000E %%01IKE/7/DEBUG(d): dropped message from 183.129.153.138 due to notification type INVALID_ID_INFORMATION

6.Modify the local ACL rule:
"rule 5 permit ip source 16.17.18.0 0.0.0.255 destination 10.69.36.0 0.0.0.255"
Then IKE nagotiation success.
Root Cause
1.Check the IPsec configuration of firewall, use the IKE peer to peer of IPsec VPN configuration. IKE version: V1, main mode.
#
acl number 3111                                                            
rule 0 permit ip source 16.17.18.102 0 destination 10.69.36.32 0.0.0.31   
rule 1 permit ip source 16.17.18.102 0 destination 10.69.36.64 0.0.0.31   
rule 2 permit ip source 16.17.18.103 0 destination 10.69.36.32 0.0.0.31   
rule 3 permit ip source 16.17.18.103 0 destination 10.69.36.64 0.0.0.31
#
ike proposal 1                                                             
encryption-algorithm 3des-cbc                                             
dh group2                                                                 
sa duration 43200                                                         
#                                                                          
ike peer nsn                                                               
pre-shared-key NSN@HuaweiSH                                               
ike-proposal 1                                                            
undo version 2                                                            
remote-address 183.129.153.138                                               
#                                                                          
ipsec proposal nsn                                                         
esp authentication-algorithm sha1                                         
esp encryption-algorithm 3des                                             
#                                                                          
ipsec policy topolarispolicy 10 isakmp                                     
security acl 3111                                                         
ike-peer nsn                                                              
proposal nsn                                                              
#
interface GigabitEthernet0/0/0                                             
ip address 58.60.106.127 255.255.255.0                                    
ipsec policy topolarispolicy                                              
#

2、Local site start the nagotiation while check the nagotiation status of IKE:
the v1:1 was ready.
The second phase(v1:2) nagotiation fails.(status: unnamed)

[Eudemon1000E] display ike sa
10:29:53  2014/04/22
current ike sa number: 6
  ---------------------------------------------------------------------
  connection-id     peer                vpn    flag        phase    doi
  ---------------------------------------------------------------------
0x36817         <unnamed>               0     NONE        v1:2    IPSEC
0x36816         183.129.153.138         0     RD          v1:1    IPSEC

  flag meaning
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT

Suggestions
1.The way to find why IKE nagotiation was fails:
display ike sa/debugging ike error/debugging
ike all。

2.Know the debug information of ACL different between both side:
 "phase2: security acl mismatch" and  "due to notification type INVALID_ID_INFORMATION"

2014-04-22 10:34:24 Eudemon1000E %%01IKE/4/IPSECACL(l): phase2: security acl mismatch.
3.2152305828 Eudemon1000E %%01IKE/7/DEBUG(d): dropped message from 183.129.153.138 due to notification type INVALID_ID_INFORMATION

3.Find the exact local ACL configuration by debug log when we don't know it on the other side.

3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): proid:0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): src addr:0x10111200 mask:0xFFFFFF00
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): src port:0
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): dst addr:0x0A452400 mask:0xFFFFFF00
3.2152485962 Eudemon1000E %%01IKE/7/DEBUG(d): dst port:0

END