The solving case that ACL mismatch lead to fail to set up IPSEC SA

Publication Date:  2012-09-25 Views:  318 Downloads:  0
Issue Description
A site of office makes IPSEC VPN connection through two USG2160.  And one is fixed public IP address, the other is 3G dialing, when trigger IPSEC connection from dial-up end, it was find that the tunnel second stage do not establish, and peer flag is: unnamed, network topology are as follows:     usg2160----internet---usg2160
Alarm Information
none
Handling Process
1. Check IPSEC configuration parameter of two devices and find they are the same.
2. Check the data flow that do the ACL of IPSEC, and find mistakes:
The ACL of one device is that:
Acl number 3001
Rule 5 permit IP source 92.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
Another ACL is that:
Acl number 3000
Rule 5 permit IP source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
Change the ACL of first device to: rule 5 permit IP source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255, and it is ok.
Root Cause
ACL does not form a mirror.
Suggestions
If the second stage of IPSEC do not establish, it means ACL don't into mirror or threr are some place IPSEC parameters do not match (especially should pay attention to interconnect to peer vendor products). This case is because write the wrong ACL IP address, and find that only after careful inspection.

END