No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Services Are Interrupted After an IPSec Tunnel Is Established

Services Are Interrupted After an IPSec Tunnel Is Established

Fault Symptom

If IPSec SA information is displayed in the display ike sa command output, an IPSec tunnel has been established successfully. However, the following problems exist:
  • Users in the branches and the headquarters cannot communicate with each other.
  • Only unidirectional communication is implemented between users of the branches and headquarters. For example, users of the headquarters can access servers in the branch, but users of the branches cannot access servers in the headquarters.
  • Users of the branch and headquarters can access only some network segments.
  • On a point-to-multipoint network, users of the branches may communicate with the headquarters normally, but users of different branches cannot communicate with each other.

Procedure

  1. Check whether security ACLs on both ends are correctly configured.

    Run the display ipsec sa command to check whether the source and destination network segments of the protected data flows matching security ACLs include actual service flows. If not, run the display acl acl-number command to check whether ACLs are correctly configured on both ends.

    For details about configuring IPSec-protected data flows, see Defining Data Flows to Be Protected.

    For example, run the display ipsec sa command to check the security ACL 3101.

    <Huawei> system-view
    [Huawei] display ipsec sa
    ipsec sa information: 
    ===============================
    Interface: GigabitEthernet1/0/0
    ===============================
     -----------------------------
      IPSec policy name: "policy1"
      Sequence number  : 1
      Acl group        : 3101
      Acl rule         : 5
      Mode             : ISAKMP
      -----------------------------
        Connection ID     : 67108879
        Encapsulation mode: Tunnel
        Holding time      : 0d 0h 4m 29s
        Tunnel local      : 1.1.1.1:500
        Tunnel remote     : 2.1.1.1:500
        Flow source       : 10.1.1.0/255.255.255.0 17/1701
        Flow destination  : 10.2.1.0/255.255.255.0 17/39725
    ......

    If the protected data flows matching the security ACL do not include actual service flows, run the display acl 3101 command to check the ACL configuration.

    [Huawei] display acl 3101
    Advanced ACL 3101, 1 rule 
    Acl's step is 5  
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255

    If the security ACLs on both ends do not match, modify the security ACL configurations to make them match.

  2. Check whether the NAT policy configuration affects the IPSec-protected data flows.

    Run the display ipsec interface brief command to check the interface to which an IPSec policy is applied, and then run the display current-configuration interface interface-type interface-number command to check whether a NAT policy is configured on the specified IPSec interface.

    If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device performs NAT first. In this case, you need to ensure:
    • The destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. This prevents the device from performing NAT on the IPSec-protected data flows.
    • The ACL rule referenced by IPSec matches the post-NAT IP address.

    For example, the following command output indicates that a NAT policy is configured on GE1/0/0.

    [Huawei] display current-configuration interface gigabitethernet 1/0/0
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0 
     nat outbound 3000   //A NAT policy is configured for the interface.
     ipsec policy policy1 

    The ACL rule configuration referenced by IPSec is as follows:

    acl number 3101
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

    The ACL rule configuration referenced by NAT is as follows:

    acl number 3000
     rule 5 permit ip
    You can modify the configuration using either of the following methods:
    • If NAT needs to be performed on data flows to the peer need before IPSec encryption, change the source IP address in the ACL 3101 to the post-NAT IP address.

      acl number 3101
       rule permit ip source 1.1.1.0 0.0.0.255 destination 2.1.1.0 0.0.0.255
    • If NAT does not need to be performed on data flows to the peer need before IPSec encryption, add a deny policy to the ACL.

      acl number 3000
       rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
       rule 5 permit ip

  3. Check whether NAT traversal is enabled on both ends if a NAT device exists between both ends.

    Run the display ike peer command to check whether NAT traversal is enabled on both ends. If not, run the nat traversal command in the IKE peer view.

    [Huawei] display ike peer
    Number of IKE peers: 1
    ------------------------------------------   
       Peer name                       : pa
       IKE version                     : v1v2
       VPN instance                    : - 
       Remote IP                       : 2.1.1.1
       Authentic IP address            : - 
       Proposal                        : tran1 
       Pre-shared-key                  : %^%#G7(t:%yFw/PVF>Jsva;"zx]oL!sw-8z\C;I}%%RY%^%#
       Local ID type                   : IP                                            
       Local ID                        : - 
       Remote ID type                  : - 
       Remote ID                       : - 
       certificate peer-name           : - 
       PKI realm                       : - 
    ......
       NAT-traversal                   : Disable
    .......
    [Huawei] ike peer pa
    [Huawei-ike-peer-pa] nat traversal

  4. Check whether the security protocol is AH when a NAT device exists between both ends and NAT traversal is enabled.

    Run the display ipsec proposal brief command to check the security protocol. The security protocol can only be ESP during NAT traversal.

    If the security protocol is AH, run the transform command to change the security protocol to ESP.

    [Huawei] display ipsec proposal brief
    Current ipsec proposal number: 1
     ---------------------------------------------------------
     Proposal Name     Encapsulation mode    Transform
     ---------------------------------------------------------
     tran1             Tunnel                 ah-new
    
    [Huawei] ipsec proposal tran1
    [Huawei-ipsec-proposal-tran1] transform esp

  5. Check whether the encryption/decryption modes on both ends are consistent if the authentication algorithm used in an IPSec proposal is SHA2.

    Run the display ipsec proposal command to check whether the authentication algorithm is SHA2-256, SHA2-384, or SHA2-512.

    [Huawei] display ipsec proposal
    Number of proposals: 1
                                                                                    
    IPSec proposal name: 1                                                          
     Encapsulation mode: Tunnel                                                     
     Transform         : esp-new                                                    
     ESP protocol      : Authentication SHA2-HMAC-256    //Authentication algorithm
                         Encryption AES-256    

    When IPSec uses the SHA-2 algorithm, if the devices on both ends of an IPSec tunnel are from different vendors or run different software versions, they may use different encryption/decryption modes. In this situation, IPSec traffic between the devices will be interrupted.

    To solve the problem, run the ipsec authentication sha2 compatible enable command in the system view to enable the SHA-2 algorithm to be compatible with earlier versions.

    [Huawei] ipsec authentication sha2 compatible enable
    

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31448

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next