No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

SIte-to-Site VPN between USG6330 and AR161F

Publication Date:  2017-05-25 Views:  125 Downloads:  0
Issue Description

Fault symptom: Both devices display that there are no encrypted packets Both of them have configured permit rule for traffic in both way on public IP addresses.

USG Version : V500R001C30SPC100

AR Version : V200R007C00SPCb00

Configuration script :

 ipsec proposal prop18411381877

 esp authentication-algorithm sha2-256 

 esp encryption-algorithm aes-256 

#

ike proposal 1

 encryption-algorithm aes-256 

 dh group2 

 authentication-algorithm sha2-256 

 authentication-method pre-share

 integrity-algorithm hmac-sha2-256 

 prf hmac-sha2-256 


 

Handling Process

We asked the diagnostic file from both devices and reproduce it in the lab. 

After we reproduced the configuration, we found some issues : ACL 2999 doesn’t deny the traffic that secures the IPsec VPN, because AR router does NAT first

 we need to configure the command " ipsec authentication sha2 compatible enable " on the local device. If the command is not configured on the local device, service transmission will be interrupted.

Root Cause

After we reproduced the configuration, we found some issue:

        

       Customer configured IPsec and NAT together under the port:

interface GigabitEthernet0/0/4

description WAN

tcp adjust-mss 1200

ip address 83.14.127.86 255.255.255.252

nat outbound 2999

 zone UNTRUST

ipsec policy POLICY1

 

ACL 2999 doesn’t deny the traffic that secures the IPsec VPN, because AR router does NAT first, then the IP of the traffic will be changed by NAT, so the traffic cannot enter through the IPsec VPN.

        

Also the ACL 2999 is a basic ACL, it just supports deny the whole source IP addresses. We can change the ACL number to advance ACL, like 3100. Then, we can deny the traffic that secure by IPsec VPN.

 

Solution

1. Modify the configuration as below:

[Huawei]acl 3100

[Huawei-acl-adv-3100] rule 5 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.0.0 0.0.3.255

[Huawei-acl-adv-3100]rule 10 permit ip


The IPsec used SHA2, so please used that command “ipsec authentication sha2 compatible enable”.

 When the IPSec protocol uses the SHA-2 algorithm and the device at the remote end of the IPSec tunnel is other vender device, we need to configure this command on the

local device. If the command is not configured on the local device, service transmission will be interrupted.

END