No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Unavailable IPSec Service on the AR2200 After NAT Is Performed

Publication Date:  2013-12-31  |   Views:  236  |   Downloads:  0  |   Document ID:  EKB1000038560

Contents

Issue Description

AR2200 version:
VRP (R) software, Version 5.90 (AR2200 V200R001C00SPC500)
Networking:
Intranet 1---AR2200-1---WAN---AR2200-2---Intranet 2
An IPSec tunnel is established between AR2200-1 and AR2200-2. Intranet 1 and intranet 2 access each other through the IPSec tunnel. In addition, the NAT service is configured on AR2200-1 to allow intranet 1 to access the Internet.
Fault symptom:
When the NAT service is not configured on AR2200-1, intranet 1 and intranet 2 can properly access each other through the IPSec tunnel.
When the NAT service is configured on AR2200-1, intranet 1 and intranet 2 cannot access each other through the IPSec tunnel, but AR2200-1 and AR2200-2 can communicate with each other through the IPSec tunnel. The interface with a private IP address on AR2200-1 can ping the interface with a private IP address on AR2200-2.
#
ike local-name test1
#
acl number 2000
rule 3 permit source 172.16.0.0 0.0.0.255
#
acl number 3001
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 10.10.0.0 0.0.255.255
#
ipsec proposal st
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5                       
#
ike peer st v1
exchange-mode aggressive
pre-shared-key 1234567
local-id-type name
remote-name test2
local-address 78.110.*.190
nat traversal
remote-address 202.111.*.74
#
ipsec policy use1 1 isakmp
security acl 3001
ike-peer st
proposal st
#
....
#
interface GigabitEthernet0/0/0
ip address 78.110.*.190 255.255.255.252
ipsec policy use1
nat outbound 2000
#
....
#
ip route-static 0.0.0.0 0.0.0.0 78.110.*.189
#

Alarm Information

None

Handling Process

Adjust the NAT configuration on AR2200-1 by configuring the deny policy on IPSec streams in ACL 2000 of NAT. Define an extended ACL to cooperate with NAT. 
#
ike local-name test1
#
acl number 3000
rule 5 deny ip source 172.16.0.0 0.0.0.255 destination 10.10.0.0 0.0.255.255   //deny掉IPSEC流
rule10 permit source 172.16.0.0 0.0.0.255
#
acl number 3001
rule 5 permit ip source 172.16.0.0 0.0.0.255 destination 10.10.0.0 0.0.255.255
#
ipsec proposal st
#
ike proposal 1
encryption-algorithm aes-cbc-128
authentication-algorithm md5                      
#
ike peer st v1
exchange-mode aggressive
pre-shared-key 1234567
local-id-type name
remote-name test2
local-address 78.110.*.190
nat traversal
remote-address 202.111.*.74
#
ipsec policy use1 1 isakmp
security acl 3001
ike-peer st
proposal st
#
....
#
interface GigabitEthernet0/0/0
ip address 78.110.*.190 255.255.255.252
ipsec policy use1
nat outbound 3000
#
....
#
ip route-static 0.0.0.0 0.0.0.0 78.110.*.189
#

Root Cause

1. When both IPSec and NAT services are configured on an interface of the AR2200, NAT and IPSec services are implemented on hardware in sequence. That is, NAT is first performed during hardware forwarding. Packets that do not match the NAT process will be processed through the IPSec process. Based on the preceding AR2200-1 configuration, ACL 2000 of NAT and ACL 3001 of IPSec are configured for the same private source address. In this way, ACL 2000 of NAT is first applied to IPSec streams. The IPSec streams are processed through the IPSec process, resulting in an IPSec service failure.
2. The AR2200's CPU directly forwards packets, which is called CPU software forwarding and different from hardware forwarding. Therefore, the interface with a private IP address on AR2200-1 can ping the interface with a private IP address on AR2200-2. Even if the parameter -r is specified in the ping command, CPU software forwarding is still performed, and the ping operation succeeds.

Suggestions

The service packet processing sequence should be described in the product documentation to facilitate fault location and rectification for frontline personnel.