No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG6370 IPSec can't been up

Publication Date:  2017-10-24 Views:  4074 Downloads:  0
Issue Description

the topology just like below:

The customer configure site-to-site IPSec between the USG6370 and Juniper SSG, after finish the configuration,the IPSec can't been up.

When the customer collect the debug information of the USG6370, it shows as below:

it means that the IKE SA Phase1 not been established

Handling Process

1.We checked the routing table, there exist the routing to the peer device and it can ping

2.We checked the USG6370 security policy, the interface which enable the IPSec have been add to the zone and the security policy is ok

3.We checked the configuration of the IPSec.

We compared the parameter of IPSec with the Juniper SSG, we found that the security ACL is not mismatch.

after modify the ACL, the IPSec have been established between the USG6370 and the SSG,but the service still not work.

then we found that the USG6370 used the private IP to connect with the peer device,we collect the packets on the USG6370,

it shows the source port and destination port have been changed to 4500, just as below:

 As we know that the USG6370 have been enable the NAT-Traversal by default,so we ask the customer check the peer device Juniper SSG configuration.

After the Juniper enable the NAT-Traversal, the service have been OK.

 

Root Cause

the two device IPSec parameter not same, such as the security ACL and the NAT-Traversal.

Solution

when configure the Site-to-Site IPSec between the USG and the other company device, the IPSec parameter must been same.

Some configuration is the default configuration on the USG but on the other company device it not configure.

END