A site of office makes IPSEC VPN connection through two USG2160. And one is fixed public IP address, the other is 3G dialing, when trigger IPSEC connection from dial-up end, it was find that the tunnel second stage do not establish, and peer flag is: unnamed, network topology are as follows： usg2160----internet---usg2160
1. Check IPSEC configuration parameter of two devices and find they are the same.
2. Check the data flow that do the ACL of IPSEC, and find mistakes:
The ACL of one device is that:
Acl number 3001
Rule 5 permit IP source 22.214.171.124 0.0.0.255 destination 192.168.1.0 0.0.0.255
Another ACL is that:
Acl number 3000
Rule 5 permit IP source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
Change the ACL of first device to: rule 5 permit IP source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255, and it is ok.
ACL does not form a mirror.
If the second stage of IPSEC do not establish, it means ACL don't into mirror or threr are some place IPSEC parameters do not match (especially should pay attention to interconnect to peer vendor products). This case is because write the wrong ACL IP address, and find that only after careful inspection.