No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

AR2809B print error log when using IPSEC

Publication Date:  2012-07-27  |   Views:  133  |   Downloads:  0  |   Author:  SU1001303307  |   Document ID:  EKB0000241947

Contents

Issue Description

After configured IPsec in AR2809B, IPsec negotiated failed.Print some error log.
Topology:
HOST -----------AR2809B---------IPsec---------AR2809B----------------HOST
60.1.1.1/32                                                                                        60.1.1.2/32

Alarm Information

- *0.13243194 huawei1-2 IKE/8/DEBUG:  MSG_TYPE: INVALID_ID_INFORMATION
- IKE packet dropped: (src addr: 58.1.1.2, dst addr: 58.1.1.1) with I_Cookie da4296998d9b4f53 and R_Cookie fd57fd24f469dbd8, because of ' No IPSec policy found ' from payload PROPOSAL.
- KE packet dropped: (src addr: 58.1.1.2, dst addr: 58.1.1.1) with I_Cookie da4296998d9b4f53 and R_Cookie fd57fd24f469dbd8, because of ' No IPSec policy found ' from payload PROPOSAL.

Handling Process

change the acl rule,use specify destination address:
acl number 3101
 rule 0 permit ip source 60.1.1.1 0 60.1.1.2 0

Root Cause

Checking configuration of AR2809B, the acl use in ipsec policy as below:
acl number 3101
 rule 0 permit ip source 60.1.1.1 0 logging  
It's discourage to use "any" keyword in acl of ipsec.The "any" subnet configuration can cause traffic to fail.Becaue there is no specify subnet or host.

Suggestions

The C corporation's router is same as us regarding Ipsec acl.