Branch IPSEC two phases can be established, but the HQ did not have two phases information that cannot be established

Publication Date:  2012-12-12 Views:  190 Downloads:  0
Issue Description
Branch mapping through nat device, establish ipsec vpn with HQ,when the branch visit HQ, branch side ike 2 phases establish normally, but the HQ has no tunnel information.

Branch configuration:

#
ike proposal 1
#
ike peer 1
pre-shared-key 123
undo version 2
remote-address 192.168.34.3
nat traversal
#
ipsec proposal 1
#
ipsec policy map1 10 isakmp
security acl 3001
ike-peer 1
proposal 1

Tunnel information:

disp ike sa
14:22:23  2012/05/11
current ike sa number: 2
  ---------------------------------------------------------------------
  connection  peer side address      VPN   sign       phase   explain
  ------------------------------------------------------------
   0x45d         192.168.34.3:1194       0     RD          v2:2    IPSEC
   0x45c         192.168.34.3:1194       0     RD          v2:1    IPSEC

HQ configuration:

#
ike peer longhuajugllbzx                
exchange-mode aggressive
pre-shared-key 123
undo version 2
remote-address 192.168.121.144
nat traversal#
ipsec proposal 1
#
ipsec policy 10 1 isakmp
security acl 3000
ike-peer t1
proposal 1
#
ipsec policy 10 21 isakmp
security acl 3021
ike-peer longhuajugllbzx
proposal 1

HQ tunnel:

disp ike sa
15:50:43  2012/05/11
current ike sa number: 0

Alarm Information
NULL
Handling Process
1、Check the middle link, the network is normal

2、Check both side acl,all aimed.

3、Check the configuration, it has configured nat traversal, attempt to add the following command in ike peer configuration:

remote-address authentication-address 10.229.148.252

Address behind authentication-address is the outbound address of nat device,test ipsec establishing situation.



[jtysw_SRG20_ZFWW]disp ike sa
15:45:39  2012/05/11
current ike sa number: 2
  ---------------------------------------------------------------------
  connection-id     peer                vpn    flag        phase    doi
  ---------------------------------------------------------------------

0xba525         192.168.121.144:1194    0     RD          v2:2    IPSEC
0xba524         192.168.121.144:1194    0     RD          v2:1    IPSEC

HQ has the tunnel information of branch, the both sides established successfully.

Root Cause
1、Configuration problem

2、Middle link problem

3、Other

Suggestions
In nat traversal scene,it suggested that configure remote-address authentication-address

END