No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The solution that USG5300 fail to actively establish IPSEC tunnel

Publication Date:  2012-11-07 Views:  89 Downloads:  0

Issue Description

USG5300 and USG3000 configure IPSEC VPN, use the IKE to realize IPSEC to encrypt transmission message.
Can actively launch IPSEC tunnel from USG3000, and PING pass
But can't active establish IPSEC tunnel from USG5300, and cannot PING pass

Alarm Information


Handling Process

1, in the system view input the command Ike peer peer_name, enter Ike peer view, peer_name is the peer name referred by policy.
2, in Ike peer view, input command undo version 2.

Root Cause

1, the policy from one side cannot active launch is template way. For this kind of situation, belongs to the normal phenomenon, do not need process.
2, one end support IKEv1 by default, and the other end support IKEv2 by default.
Supporting IKEv2 Eudemon1000E is an important characteristic, and improve the performance of the equipment. USG5300 can auto-negotiate to support IKEv1 and IKEv2, use IKEv2 by default; And USG3000 equipment only support IKEv1.
If USG3000 launch IKE negotiation first, using IKEv1, because USG5300 can auto-negotiate to response IKEv1 and IKEv2 negotiation, so can set up negotiation; And when USG5300 equipment actively launch negotiation, use IKEv2 by default, so start IKEv2 negotiation. The peer end USG3000 can't response IKEv2 negotiation, so cannot establish tunnel.


When use USG5300 and other equipment to make IKE negotiation, need pay attention to the IKE version problem. If the peer end does not support IKEv2, USG5300 equipment active negotiation maybe fail, need to modify IKEv1configuration.