No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

IPsec SAs were not established because of incomplete configuration

Publication Date:  2012-07-27  |   Views:  7  |   Downloads:  0  |   Author:  y45575  |   Document ID:  EKB0000173704

Contents

Issue Description

I used two AR routers to establish IPsec VPN, the two routers were named Router A and Router B. 

After I finished the configuration as below, I could ping successfully between Router A and Router B, but when I used the command of 'display ike sa' and 'display IPsec sa'  to check, i found  that the IPsec SAs were not established.
                     
The configuration of Router A as below:
[Quidway]acl number 3000
[Quidway-acl-adv-3000]rule permit ip source 10.111.0.0 0.0.255.255 des 10.112.0.0 0.0.255.255
[Quidway-acl-adv-3000]rule deny ip source any des any 


[Quidway]ipsec proposal 123
 [Quidway-ipsec-proposal-123]encapsulation-mode tunnel
 [Quidway-ipsec-proposal-123]transform esp
 [Quidway-ipsec-proposal-123]esp encryption-algorithm des 
 [Quidway-ipsec-proposal-123]esp authentication-algorithm sha1
 [Quidway-ipsec-proposal-123] quit


 [Quidway]ike peer test
   [Quidway-ike-peer-test]exchange-mode aggressive
   [Quidway-ike-peer-test]pre-shared-key huawei
   [Quidway-ike-peer-test]id-type ip
   [Quidway-ike-peer-test]remote-address 202.38.0.2


 [Quidway] ipsec policy pol1 1 isakmp
   [Quidway-ipsec-policy-isakmp-pol1-1] security acl 3000
   [Quidway-ipsec-policy-isakmp-pol1-1] ike-peer test
   [Quidway-ipsec-policy-isakmp-pol1-1] proposal 123


 [Quidway-Ethernet0/0/0]ip address 202.38.0.1 255.255.255.0 
   [Quidway-Ethernet0/0/0]quit
 [Quidway-Ethernet0/0/1]ip address 10.111.0.2 255.255.255.0 
   [Quidway-Ethernet0/0/1]quit
 [Quidway]ip route-static 10.112.0.0 255.255.0.0 202.38.0.2
   [Quidway-Ethernet0/0/0]ipsec policy pol1

The configuration of Router B was similar to Router A.

Alarm Information

Null

Handling Process

After setted of PFS under ipsec policy group pol1, IPSec SAs were established successfully.

 [Quidway] ipsec policy pol1 1 isakmp
  [Quidway-ipsec-policy-isakmp-pol1-1] security acl 3000
  [Quidway-ipsec-policy-isakmp-pol1-1] ike-peer test
  [Quidway-ipsec-policy-isakmp-pol1-1] proposal 123
  [Quidway-ipsec-policy-isakmp-pol1-1] pfs dh-group 1

<AR28-30>disp ipsec sa
===============================
Interface: Ethernet0/0
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "pol1"
  sequence number: 1
  mode: isakmp
  -----------------------------
    Created by: "Host"
    connection id: 3
    encapsulation mode: tunnel
    perfect forward secrecy: DH group 1
    tunnel:
        local  address: 202.38.0.1
        remote address: 202.38.0.2
    flow:    (38 times matched)
        sour addr: 10.111.0.0/255.255.0.0  port: 0  protocol: IP
        dest addr: 10.112.0.0/255.255.0.0  port: 0  protocol: IP

    [inbound ESP SAs] 
     spi: 2907393916 (0xad4b4f7c)
     proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
     sa remaining key duration (bytes/sec): 1887435508/3368
    max received sequence-number: 19
    udp encapsulation used for nat traversal: N
 
   [outbound ESP SAs] 
    spi: 3385384886 (0xc9c8dfb6)
    proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
    sa remaining key duration (bytes/sec): 1887435204/3368
    max sent sequence-number: 20
    udp encapsulation used for nat traversal: N

Root Cause

Maybe PFS wasn't setted in the configuration.

Suggestions

Null