Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
the topology just like below:
The customer configure site-to-site IPSec between the USG6370 and Juniper SSG, after finish the configuration,the IPSec can't been up.
When the customer collect the debug information of the USG6370, it shows as below:
it means that the IKE SA Phase1 not been established
1.We checked the routing table, there exist the routing to the peer device and it can ping
2.We checked the USG6370 security policy, the interface which enable the IPSec have been add to the zone and the security policy is ok
3.We checked the configuration of the IPSec.
We compared the parameter of IPSec with the Juniper SSG, we found that the security ACL is not mismatch.
after modify the ACL, the IPSec have been established between the USG6370 and the SSG,but the service still not work.
then we found that the USG6370 used the private IP to connect with the peer device,we collect the packets on the USG6370,
it shows the source port and destination port have been changed to 4500, just as below:
As we know that the USG6370 have been enable the NAT-Traversal by default,so we ask the customer check the peer device Juniper SSG configuration.
After the Juniper enable the NAT-Traversal, the service have been OK.
the two device IPSec parameter not same, such as the security ACL and the NAT-Traversal.
when configure the Site-to-Site IPSec between the USG and the other company device, the IPSec parameter must been same.
Some configuration is the default configuration on the USG but on the other company device it not configure.