No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Network are not reachable after added on encryption domain IPsec

Publication Date:  2017-10-14 Views:  369 Downloads:  0
Issue Description

Provide fault symptom:

IPsec phase 2 is not established after new networks were added on encryption domain.


Version information: V500R001C30SPC600


Network Overview: 2 Firewall USG 6600

Network topology:




Handling Process

In this case, customer added more network on the encryption domain in a IPsec that was already UP. To troubleshooting this kind of issue we need to do the follow steps.

1.- Check the ike sa with the next command, in this case we need to check if the phase 1 is up and also the phase 2.

display ike sa

sysname> display ike sa remote 10.100.1.1
                                                                                
Spu board slot 1, cpu 1 ike sa information :                                    
    Conn-ID       Peer            VPN   Flag(s)                Phase            
  --------------------------------------------------------------------          
    117477244     10.100.1.1            RD|M                   v2:2             
    117477243     10.100.1.1            RD|M                   v2:2             
    117477242     10.100.1.1            RD|M                   v2:1 

 - In case that phase1 is not UP, we can check the error with the next command:

display ike sa error-info


2.- Validate if the phase2 is UP with the next command

display ipsec sa

The information need to be similar that is shown next

<sysname> display ipsec sa
===============================                                                 
Interface: GigabitEthernet2/0/10                                                
===============================                                                 
 -----------------------------                                                 
  IPSec policy name: "pc2"                                                      
  Sequence number  : 1                                                          
  Acl group        : 3061                                                       
  Acl rule         : -                                                          
  Mode             : Template                                                   
  -----------------------------                                                 
    Connection ID     : 67108879                                                
    Encapsulation mode: Tunnel                                                  
    Tunnel local      : 137.0.0.1                                               
    Tunnel remote     : 137.0.0.2                                               
    Flow source       : 137.0.0.1/255.255.255.255 17/1701                       
    Flow destination  : 137.0.0.2/255.255.255.255 17/39725                      
                                                                                
    [Outbound ESP SAs]                                                          
      SPI: 4055669516 (0xf1bc9b0c)                                              
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1                              
      SA remaining key duration (kilobytes/sec): 1840323/2420                   
      Max sent sequence-number: 2377                                            
      UDP encapsulation used for NAT traversal: N                               
      SA encrypted packets (number/kilobytes): 2376/2877                        
                                                                                
    [Inbound ESP SAs]                                                           
      SPI: 1050491168 (0x3e9d3920)                                              
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1                              
      SA remaining key duration (kilobytes/sec): 1840323/2420                   
      Max received sequence-number: 2377                                        
      UDP encapsulation used for NAT traversal: N                               
      SA decrypted packets (number/kilobytes): 2376/2877                        
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024           



Solution

The pincipal problem of this issues was that you need to reset the IPsec and the ike if you want to add more network on the encryption domain.

In the huawei firewall this steps are required to reestables the IPSEC.

The command must be use on User view:

1.- Reset ike connection.

<Huawei>reset ike sa

If you want to reset an specific ike, you can run the next command:

<Huawei>reset ike sa remote "ip address"

2.- Reset ipsec connection

<Huawei>reset ipsec sa


3.- You can validate the information if the IP address

Ike sa validation

sysname> display ike sa remote 10.100.1.1                                                                           

Spu board slot 1, cpu 1 ike sa information :                                   

    Conn-ID       Peer            VPN   Flag(s)                Phase           

  --------------------------------------------------------------------         

    117477244     10.100.1.1            RD|M                   v2:2            

    117477243     10.100.1.1            RD|M                   v2:2            

    117477242     10.100.1.1            RD|M                   v2:1


IPsec Validation

<sysname> display ipsec sa           

===============================                                                

Interface: GigabitEthernet2/0/10                                               

===============================                                                

 -----------------------------                                                

  IPSec policy name: "pc2"                                                     

  Sequence number  : 1                                                         

  Acl group        : 3061                                                      

  Acl rule         : -                                                         

  Mode             : Template                                                  

  -----------------------------                                                

    Connection ID     : 67108879                                               

    Encapsulation mode: Tunnel                                                 

    Tunnel local      : 137.0.0.1                                              

    Tunnel remote     : 137.0.0.2                                               

    Flow source       : 137.0.0.1/255.255.255.255 17/1701                      

    Flow destination  : 137.0.0.2/255.255.255.255 17/39725                     

                                                                                


END