IPSEC Tunnel Fault Occurred in the Interconnection Between USG2110 and USG2130BSR of the Sub Address Reason

Publication Date:  2012-09-12 Views:  222 Downloads:  0
Issue Description
USG2130BSR  - USG2110
The parameter configuration is right but the tunnel cannot be established when USG2130BSR do the IPSEC interconnection with USG2110
Alarm Information
Null
Handling Process
Configure the port address on ike peer

ike peer bfbg_dl     (USG2130 port)
exchange-mode aggressive
pre-shared-key vpn2011
ike-proposal 4
remote-address 222.32.72.122
local-address 222.32.75.28
nat traversal

ike peer bfbg_dl     (USG2110 port)
exchange-mode aggressive
pre-shared-key vpn2011
ike-proposal 4
remote-address 222.32.75.28
local-address 222.32.72.122
nat traversal

Root Cause
View the interface of the sub address configuration
interface Ethernet0/0/0   (USG2130 port)
ip address 222.32.75.28 255.255.255.0
ip address 222.32.75.29 255.255.255.0 sub
undo ip fast-forwarding qff
undo ip fast-forwarding output
ipsec policy vpnlink auto-neg

interface Ethernet0/0/0     (USG2110 port)
ip address 222.32.72.122 255.255.255.0
ip address 222.32.72.123 255.255.255.0 sub
undo ip fast-forwarding qff
undo ip fast-forwarding output
ipsec policy vpnlink

It maybe use sub address to establish the tunnel when the trigger tunnel is being established, because the remote address is not the sub address, so the tunnel cannot be established successfully. And the solution is to configure the port address
Suggestions
It needs to notice that it is configured in the ike peer if the version is old, or in the IPSEC policy if the version is new

END