No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Firewall connectivity fail after L2TP over IPSEC configuration was made

Publication Date:  2016-01-30 Views:  128 Downloads:  0
Issue Description

Customer tried to configure L2TP over IPSEC on USG6600 and after applying the configuration, connection go down.

===================================================
  ===============display version===============
===================================================
08:40:43  2015/12/01
Huawei Versatile Security Platform Software
Software Version: USG6600 V100R001C30  (VRP (R) Software, Version 5.30)

IPSEC configuration:

 

Alarm Information
none
Handling Process

What i have done:

asked customer to extract display diagnostic command output and logging information related to that specific moment of time.

Root Cause
I have found the reason why the connection dropped after applying the configuration for IPSEC.

We can see that rule 5 was removed and actually all  traffic will be encryption and send through the tunnel according with the current ACL, see the highlighted log.

%2015-11-30 13:40:10 xxxxxxxxxxxxxx SHELL/5/CMDRECORD:task=HTPR, ip=xxxxxxx user=admin, usertype=5, vsys=root, command=acl 3000, result=succeeded.
%2015-11-30 13:40:10 xxxxxxxxxxxxxx SHELL/5/CMDRECORD:task=HTPR, ip=xxxxxxx, user=admin, usertype=5, vsys=root, command=undo rule 5, result=succeeded.
%2015-11-30 13:40:23xxxxxxxxxxxxxxx-1 SHELL/5/CMDRECORD:task=HTPR, ip=xxxxxxxxx, user=admin, usertype=5, vsys=root, command=acl 3000, result=succeeded.
%2015-11-30 13:40:23 xxxxxxxxxxxxxx-1 SHELL/5/CMDRECORD:task=HTPR, ip=xxxxxxx, user=admin, usertype=5, vsys=root, command=rule permit ip source any destination any, result=succeeded.

We can see that IP source from which you have tried to reach device is 1.1.1.1. According to the fib, there is not entry for this subnet, so it will follow default route to find the destination back.
0.0.0.0/0          x.11.90.17    GSU  t[428]        GE2/0/0         0x0
But default route points to G2/0/0  which is the interface on which tunnel was deployed. Since tunnel never came up, connection was lost.
Solution
adjust the security ACL and permit only interested traffic flows. Do not send all the traffic over the IPSEC tunnel.
Suggestions
none

END