No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
MENU
Knowledge Base

IPsec SAs were not established because of incomplete configuration

Publication Date:  2012-07-27  |   Views:  7  |   Downloads:  0  |   Author:  y45575  |   Document ID:  EKB0000173704

Contents
Issue Description Alarm Information Handling Process Root Cause Suggestions

Issue Description

I used two AR routers to establish IPsec VPN, the two routers were named Router A and Router B. 

After I finished the configuration as below, I could ping successfully between Router A and Router B, but when I used the command of 'display ike sa' and 'display IPsec sa'  to check, i found  that the IPsec SAs were not established.
                     
The configuration of Router A as below:
[Quidway]acl number 3000
[Quidway-acl-adv-3000]rule permit ip source 10.111.0.0 0.0.255.255 des 10.112.0.0 0.0.255.255
[Quidway-acl-adv-3000]rule deny ip source any des any 


[Quidway]ipsec proposal 123
 [Quidway-ipsec-proposal-123]encapsulation-mode tunnel
 [Quidway-ipsec-proposal-123]transform esp
 [Quidway-ipsec-proposal-123]esp encryption-algorithm des 
 [Quidway-ipsec-proposal-123]esp authentication-algorithm sha1
 [Quidway-ipsec-proposal-123] quit


 [Quidway]ike peer test
   [Quidway-ike-peer-test]exchange-mode aggressive
   [Quidway-ike-peer-test]pre-shared-key huawei
   [Quidway-ike-peer-test]id-type ip
   [Quidway-ike-peer-test]remote-address 202.38.0.2


 [Quidway] ipsec policy pol1 1 isakmp
   [Quidway-ipsec-policy-isakmp-pol1-1] security acl 3000
   [Quidway-ipsec-policy-isakmp-pol1-1] ike-peer test
   [Quidway-ipsec-policy-isakmp-pol1-1] proposal 123


 [Quidway-Ethernet0/0/0]ip address 202.38.0.1 255.255.255.0 
   [Quidway-Ethernet0/0/0]quit
 [Quidway-Ethernet0/0/1]ip address 10.111.0.2 255.255.255.0 
   [Quidway-Ethernet0/0/1]quit
 [Quidway]ip route-static 10.112.0.0 255.255.0.0 202.38.0.2
   [Quidway-Ethernet0/0/0]ipsec policy pol1

The configuration of Router B was similar to Router A.

Alarm Information

Null

Handling Process

After setted of PFS under ipsec policy group pol1, IPSec SAs were established successfully.

 [Quidway] ipsec policy pol1 1 isakmp
  [Quidway-ipsec-policy-isakmp-pol1-1] security acl 3000
  [Quidway-ipsec-policy-isakmp-pol1-1] ike-peer test
  [Quidway-ipsec-policy-isakmp-pol1-1] proposal 123
  [Quidway-ipsec-policy-isakmp-pol1-1] pfs dh-group 1

<AR28-30>disp ipsec sa
===============================
Interface: Ethernet0/0
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "pol1"
  sequence number: 1
  mode: isakmp
  -----------------------------
    Created by: "Host"
    connection id: 3
    encapsulation mode: tunnel
    perfect forward secrecy: DH group 1
    tunnel:
        local  address: 202.38.0.1
        remote address: 202.38.0.2
    flow:    (38 times matched)
        sour addr: 10.111.0.0/255.255.0.0  port: 0  protocol: IP
        dest addr: 10.112.0.0/255.255.0.0  port: 0  protocol: IP

    [inbound ESP SAs] 
     spi: 2907393916 (0xad4b4f7c)
     proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
     sa remaining key duration (bytes/sec): 1887435508/3368
    max received sequence-number: 19
    udp encapsulation used for nat traversal: N
 
   [outbound ESP SAs] 
    spi: 3385384886 (0xc9c8dfb6)
    proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
    sa remaining key duration (bytes/sec): 1887435204/3368
    max sent sequence-number: 20
    udp encapsulation used for nat traversal: N

Root Cause

Maybe PFS wasn't setted in the configuration.

Suggestions

Null

Feedback
Related resources
Documentation Software Download Bulletins Tools
Related searches
By Author
Help us to improve
Write an article
Enterprise APP

Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.