No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Ipsec tunnel can be established, the internal network ping impassability

Publication Date:  2012-11-01 Views:  296 Downloads:  0
Issue Description
User—router—USG5300—server
Phenomenon: in the USG5300 the “dis Ike sa” tunnel can be established, but the internal network address can't mutual access.
Alarm Information
None.
Handling Process
1, because tunnel can be built, so the ipsec configuration has no problem
2, there is no port fast convert command in USG5300 interface
3, in the NAT outbound ban the flow which is interested by ipsec, problem solving.
Root Cause
1, configuration problem
2, port fast convert didn’t close
3, in the NAT outbound didn’t ban the flow interested by ipsec
Suggestions
Conclusion: packets pass through firewall, must match NAT outbound firstly, then match VPN tunnel. So when configuring ipsec VPN, need to ban VPN private network data flow in the NAT outbound.

END