After IPSec Is Configured on the AR, Traffic Forwarding Fails

Publication Date:  2015-04-01 Views:  442 Downloads:  0
Issue Description
Networking:



Main configuration on RouterA:

#
acl number 3000
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 20 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 30 permit ip source 192.168.202.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 40 permit ip source 192.168.201.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 50 deny ip
#
ipsec proposal 2
#
ike proposal 2
#
ike peer aaa v1
pre-shared-key huawei
#
ipsec policy-template hrui 10
security acl 3000
ike-peer aaa
proposal 2
#
ipsec policy huir 10 isakmp template hrui
#


Fault Symptom:
1.  After an IPSec tunnel is set up, users cannot access the public network (such traffic does not need to be encrypted using IPSec). After the IPSec policy is unbound from the interface, users can access the public network.

2.  Four permit ACL rules are configured, but traffic matching only one permit rule can be transmitted.
Handling Process
Upgrade the ARs at both ends to V200R002 or later.
Root Cause
1.  The ACL bound to the IPSec policy defines a deny rule. RouterA of V200R001C01SPC500 does not support the deny rule and discards packets matching the deny rule by default. After the deny rule is deleted, the fault is rectified.
V200R002 does not use IPSec to encapsulate packets matching the deny rule and does not discard such packets.

2.  There are differences between versions. One end uses V200R001, and the other end uses V200R002. In V200R001, an SA is negotiated based on the ACL number. In V200R002, an SA is negotiated based on the ACL rule. Therefore, one SA is negotiated on the AR of V200R001, and four SAs are negotiated on the AR of V200R002. In this case, only traffic matching one ACL rule can be transmitted. After the AR is upgraded to V200R002, the fault is rectified.
Suggestions
There are feature differences between versions. It is recommended that connected devices use the same version.

END