IPsec VPN establishment failure

Publication Date:  2013-08-26 Views:  320 Downloads:  0
Issue Description
 Eudemon 200------+
|----------------------------Internet gateway----------------------------Firewall
Eudemon------+ 192.168.1.0/24
As shown above, the Eudemon uses A/S mode for hot backup. VRRP is enabled on the interface connecting to the Internet gateway. The default route is configured. The next hop is the Internet gateway. NAT is not configured on the Internet gateway. The Eudemon 200 serves as the NAT gateway to build the IPsec VPN. The IPSec VPN is configured as follows:
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
sa duration 28800
#
ike peer dubai
pre-shared-key *
remote-address a.b.c.d
#
ipsec proposal dubai
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy dubai 10 isakmp

security acl acl-number

ike-peer dubai

proposal dubai

Check IKE SA, and the result is empty. 
Alarm Information
Check the debug information, and the following two messages are found:

*1.3373932854 EU200-2 IPSEC/8/DBG:IPSec input drop packet! ACL is NULL.

*1.3373933287 EU200-2 IPSEC/8/DBG:IPSec output drop packet! A policy’s ACL is NULL. 
Handling Process
 Add the following commands to set the IKE source address to the public network address e.f.g.h:

ike peer dubai

local-address e.f.g.h

The commands are available for EU200 V200R001C01B05D or later. 
Root Cause
Typically, the preceding error messages result from security ACL mismatch. Check the configurations on both sides. As a result, no configuration mistake is found. Then, analyze this problem against the topology. As the NAT gateway, the Eudemon 200 cannot publish the private network 192.168.1.0/24 to the public network. The IKE remote address of the peer firewall is set to a NAT public network address e.f.g.h.

Check the debugging information again. The IKE source address of the Eudemon 200 is found set to the VRRP virtual address 192.168.1.3. The source address is wrong.
 
Suggestions
 For similar topology or requirements, update the Eudemon 200 to V200R001C01B05D or later. 

END