No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

After Configuring IPSec, The Tunnel didn’t work normal in USG6300

Publication Date:  2015-02-09 Views:  196 Downloads:  0
Issue Description

After Configuring IPSec, The Tunnel didn't work normal, I found this error :



Handling Process

After checking the configurations ... I found that the NAT is enabled by default on the outgoing interface G0/0/4


but the protected data flow is exempted from NAT, The IPSec process is implemented after the NAT .. So you must exempt IPSec traffic from NAT

The protected data flow must not match the destination NAT policy. Otherwise, the destination IP address of the packets will be translated.

So we delete the NAT policy which was configured for Lan Users becuase of 

nat-policy

 

rule name trafficnonat

  egress-interface GigabitEthernet0/0/4

  source-address 192.168.1.0 24

  destination-address 10.1.1.0 24

  action no-nat


rule name nonat

  source-zone local

  egress-interface GigabitEthernet0/0/4

  action no-nat

 

Now the IPSec is working fine and the Tunnel is UP



<USG6300-HH> display ike sa

17:19:26  2014/12/01

current ike sa number: 2

-----------------------------------------------------------------------------

conn-id    peer                                    flag          phase vpn

-----------------------------------------------------------------------------

110        217.165.23.135:4500                     RD|A          v1:2  public

108        217.165.23.135:4500                     RD|D|A        v1:1  public


  flag meaning

  RD--READY      ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT

  TD--DELETING   NEG--NEGOTIATING  D--DPD          M--ACTIVE     S--STANDBY

  A--ALONE

<USG6300-HH>


Root Cause

NAT is enabled by default on the outgoing interface G0/0/4

END