No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec SA Negotiation Failed

IPSec SA Negotiation Failed

Symptom

The IPSec service cannot be normally transmitted. The output of the display ike sa command shows that IPSec SA negotiation failed.

The following shows an example of the command output. If the Flag parameter is displayed as RD or RD|ST, an SA is established successfully. ST indicates that the local end is the IKE initiator.

    Conn-ID  Peer            VPN   Flag(s)                Phase                 
  ---------------------------------------------------------------               
    13118    10.1.3.2        0     RD                     v1:2  
    12390    10.1.3.2        0     RD                     v1:1

   Number of IKE SA : 2
  ---------------------------------------------------------------
         
  Flag Description:    
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

If IKE SA negotiation is successful, but IPSec SA negotiation fails, the command output contains no information about phase 2 or the Flag parameter is empty.

Procedure

  1. Run the display ipsec proposal command to check whether the IKE peer uses the same IPSec proposal.

    If not, change IPSec proposals on the peer to be the same. If the ESP authentication algorithms in the IPSec proposals are different, perform the following operations.

    On the IKE initiator:

    ipsec proposal prop1
     esp authentication-algorithm sha2-512 
    

    On the IKE responder:

    ipsec proposal prop2
     esp authentication-algorithm sha2-384 
    

  2. Run the display ipsec policy command to check whether the configuration in the IPSec policy view is correct.

    • Check whether the ACLs referenced in the IPSec policies are the same.

      If the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other, an IPSec SA can be successfully established when either party initiates the negotiation. If the ACLs do not mirror each other, an IPSec SA can be established only when the IP address range defined in the ACL on the initiator is included in the IP address range defined in the ACL on the responder. Therefore, it is recommended that the ACLs at both ends of the IPSec tunnel mirror each other. That is, the source and destination addresses in the ACL at one end are the same as the destination and source addresses in the ACL at the other end.

      For example, if the source and destination addresses of the initiator are 10.1.1.2 and 10.2.1.2, the source and destination addresses of the responder are10.2.1.2 and 10.1.1.2.

      On the IKE initiator:

      acl number 3101
       rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
      
      ipsec policy map1 10 isakmp
       security acl 3101
      

      On the IKE responder:

      acl number 3101
       rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
      
      ipsec policy map2 10 isakmp
       security acl 3101
      
    • Check whether the IKE peer configurations referenced in the IPSec policies are the same.

      For example, the IKE initiator reference IKE proposal peer spub.

      ipsec policy map1 10 isakmp
       ike-peer spub
      

      The related configuration of the IKE peer is as follows.

      If the IKE peer configurations at two ends of the tunnel are different, change them to be the same.

    • Check whether the IPSec proposal configurations referenced in the IPSec policies are the same.

      For example, the IKE initiator reference IPSec proposal tran1.

      ipsec policy policy1 100 isakmp
       proposal tran1
      

      The related configuration of the IPSec proposal is as follows.

      ipsec proposal tran1
       esp authentication-algorithm sha2-256 
       esp encryption-algorithm aes-128 
      

      If the IPSec proposal configurations at two ends of the tunnel are different, change them to be the same.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142714

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next