Interface command “IPSec policy” cannot be executed during IPSec VPN configuration.

Publication Date:  2013-09-30 Views:  315 Downloads:  0
Issue Description
Network topology:
PC1 -------- USG-a -------- Internet ---------- USG-b ------- PC2
IPSEC VPN configured between Two USG firewalls, the aggressive mode is used.
In USG-a is centre end, USG-b is the remote end.
In the end, when configuring centre need to know and configure remote client's IP address, but it appears that Interface command “IPSec policy” cannot be executed during IPSec VPN.
Alarm Information
None
Handling Process
1, enter the command in system view “ipsec policy-template 1” to create an IPSec policy template.
2, the input “ipsec policy 10 isakmp template”, the template is used to the IPSec policy.
3, in the interface configuration “ipsec policy” will be applied to the interface for the security policies configured.
Root Cause
Configuring IPSec VPN in general, when we have to configure the client side of the IP address, but in the configuration IPSec VPN aggressive mode ends when the center is not required to know the IP address of the peer, so that when the VRP when checking ike peer configuration will find the VPN policy is not complete at this time need to adopt policy template configuration; savage mode configuration if the peer ip, you cannot have policy templates can be referenced in the interface IPSec policy strategy
Suggestions
USG firewall configuration when using IPSec VPN aggressive mode, in which one end is the need to configure the IP address of the peer (generally in the center side). If no peer in the configuration when IKE peer is not configured peer remote IP address, VPN policy at this time is not complete, we need a policy template and then in the port to be configured IPSec policy template can be invoked. If aggressive mode is configured peer ip, you can not have policy templates can be referenced in the interface IPSec policy strategy.

END