The ipsec tunnel can’t connect because the sub address between USG2110 and USG2130

Publication Date:  2012-09-19 Views:  142 Downloads:  0
Issue Description
IPSEC tunnel connected originally, but suddenly can’t connect.
The ipsec parameter have no problem after checking the either end.
Alarm Information
none
Handling Process
Find out that the interface configures the sub address
interface Ethernet0/0/0
ip address 222.32.75.28 255.255.255.0
ip address 222.32.75.29 255.255.255.0 sub
undo ip fast-forwarding qff
undo ip fast-forwarding output
ipsec policy vpnlink auto-neg

interface Ethernet0/0/0
ip address 222.32.72.122 255.255.255.0
ip address 222.32.72.123 255.255.255.0 sub
undo ip fast-forwarding qff
undo ip fast-forwarding output
ipsec policy vpnlink

So when connect the ipsec tunnel, maybe connect with the sub address. But the remote address is not point the sub address, so the tunnel can’t connect. The method is that configure the local end address. The configuration is that:
ike peer bfbg_dl     (USG2130 end)
exchange-mode aggressive
pre-shared-key vpn2011
ike-proposal 4
remote-address 222.32.72.122
local-address 222.32.75.28     (add local end address at this place for the old editon. If can’t add, add it in the ipsec policy.)
nat traversal

ike peer bfbg_dl     (USG2110 end)
exchange-mode aggressive
pre-shared-key vpn2011
ike-proposal 4
remote-address 222.32.75.28
local-address 222.32.72.122
nat traversal
Root Cause
none
Suggestions
none

END