the public IP couldn't communicate after IPSec configuration

Publication Date:  2016-04-15 Views:  330 Downloads:  0
Issue Description
customer hope to create a IPSec tunnel between Sonicwall and AR129(10.1.10.99 and 10.1.10.25)
Before the IPSec configuration, the ping of public IP Address communicate normally.(10.1.10.99 to 10.1.10.25)
After finish IPSec configuraiton, customer found that the IP Ping fail.(10.1.10.99 to 10.1.10.25).
 
Solution

After checking the configuration of this site. we found customer permit all IP traffic in ACL 3999 which used for ipsec policy


acl name p_Ethernet0/0/0_1 3998 
rule 5 permit ip
#
ipsec proposal p_to_p_vpn1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
#
ike peer p_to_p_vpn1 v1
pre-shared-key cipher %^%#XeyNW1QmUWl}t\1ttQ4)D]nS%Zs8.$Av:wUPEO67%^%#
ike-proposal 1
local-id-type name
nat traversal
remote-address 10.1.10.25
#
ipsec policy p_to_p_vpn 1 isakmp
security acl 3998
ike-peer p_to_p_vpn1
proposal p_to_p_vpn1
#
interface Vlanif1
ip address 192.168.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 8.8.8.8
#
interface Ethernet0/0/0
undo portswitch
tcp adjust-mss 1460
ip address 10.1.10.99 255.255.255.0
ipsec policy p_to_p_vpn
nat outbound 2999
#

 

After set the fixed ACL according custoemr environment, then this issue solved. Since the orginal setting contained flow that from 10.1.10.99 to10.1.10.25, so the ping was affected by orignal setting.

#

acl number 3998   

rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

END