Ipsec tunnel can be established, the internal network ping impassability

Publication Date:  2012-11-01 Views:  177 Downloads:  0
Issue Description
User—router—USG5300—server
Phenomenon: in the USG5300 the “dis Ike sa” tunnel can be established, but the internal network address can't mutual access.
Alarm Information
None.
Handling Process
1, because tunnel can be built, so the ipsec configuration has no problem
2, there is no port fast convert command in USG5300 interface
3, in the NAT outbound ban the flow which is interested by ipsec, problem solving.
Root Cause
1, configuration problem
2, port fast convert didn’t close
3, in the NAT outbound didn’t ban the flow interested by ipsec
Suggestions
Conclusion: packets pass through firewall, must match NAT outbound firstly, then match VPN tunnel. So when configuring ipsec VPN, need to ban VPN private network data flow in the NAT outbound.

END