Data traffic didn't flow in the IPSec tunnel

Publication Date:  2013-08-28 Views:  788 Downloads:  0
Issue Description
A customer wanted to establish a IPSec tunnel between Huawei firewall USG2200 and Juniper firewall. When the IPSec tunnel is successfully established,  the customer said that they can neither ping from 192.168.1.0/24 to 10.224.11.0/24  nor  ping from 10.224.11.0/24 to 192.168.1.0/24.
The topology from the customer is as follows.
Alarm Information
none
Handling Process
1.  Check the configuration of USG2200 and Juniper, the IPSec tunnel is correctly configured. From the output of the command display ike sa and display ipsec sa, we can see the IPSec tunnel is successfully established.
<USG2200>display ike sa
13:02:38  2013/08/07
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40003      100.100.xx.254         RD            v1:2  public
40002      100.100.xx.254         RD            v1:1  public

  flag meaning
  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING
  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD

<USG2200>display ipsec sa
13:03:11  2013/08/07
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "ipsec2471510365"
  sequence number: 1
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40003
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 33m 42s
    tunnel local : 100.100.xx.1    tunnel remote: 100.100.xx.254
    flow      source: 192.168.1.0/255.255.255.0 0/0
    flow destination: 10.224.11.0/255.255.255.0 0/0
   ……

2. Check the ACL configuration in both USG2200 and Juniper firewall, and they are OK
For USG2200:
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.224.11.0 0.0.0.255

For Juniper firewall:
vpn VPN-3ISYS {
            bind-interface st0.0;
            ike {
                gateway GW-3ISYS;
                proxy-identity {
                    local 10.224.11.0/24;
                    remote 192.168.1.0/24;
                }
                ipsec-policy IPSEC-3ISYS;
            }
            establish-tunnels immediately;
        }
3. Check the interzone policy configuration in both USG2200 and Juniper firewall, and they are OK
USG2200:
#
ip address-set trust_ip type object
address 0 range 192.168.1.0 192.168.1.254
#
ip address-set untrust_ip type object
address 0 range 10.224.11.0 10.224.11.254
#
policy interzone trust untrust inbound
policy 25
  action permit
  policy source address-set untrust_ip
#
policy interzone trust untrust outbound
policy 25
  action permit
  policy source address-set trust_ip
#

Juniper firewall :
policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
}
4. In the USG2200, we can see the there are output data packets but no input data packet.
<USG2200>display ipsec statistics
13:05:30  2013/08/07
  the security packet statistics:
    input/output security packets: 0/10
    input/output security bytes: 0/840
    input/output dropped security packets: 0/0
   ……
   So we suppose that the interface g0/0/6 in the Juniper firewall is down. When we checked that, actually the interface g0/0/6 is down. That is why the customer can neither ping from 192.168.1.0/24 to 10.224.11.0/24  nor  ping from 10.224.11.0/24 to 192.168.1.0/24. In this case, as the customer had pulled the cable from g0/0/6  of Juniper firewall, the interface g0/0/6 turned down, so they can’t ping the IP of the interface g0/0/6 from USG2200.
As the customer just wanted to test if the data packet would pass through the IPSec tunnel, we set an IP in 10.225.11.0/24 as the loopback of Juniper firewall, then it worked, so the problem was solved.

Root Cause
1. The IPSec tunnel is not configured right.
2. The ACL dismatch.
3. The interzone policy is not configured right.
4. The interface is not up.
Suggestions
When ping the interface IP of firewall, please make sure that the interface is UP.

END