No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


After IPSec Is Configured on the AR, Traffic Forwarding Fails

Publication Date:  2015-04-01 Views:  841 Downloads:  0

Issue Description


Main configuration on RouterA:

acl number 3000
rule 10 permit ip source destination
rule 20 permit ip source destination
rule 30 permit ip source destination
rule 40 permit ip source destination
rule 50 deny ip
ipsec proposal 2
ike proposal 2
ike peer aaa v1
pre-shared-key huawei
ipsec policy-template hrui 10
security acl 3000
ike-peer aaa
proposal 2
ipsec policy huir 10 isakmp template hrui

Fault Symptom:
1.  After an IPSec tunnel is set up, users cannot access the public network (such traffic does not need to be encrypted using IPSec). After the IPSec policy is unbound from the interface, users can access the public network.

2.  Four permit ACL rules are configured, but traffic matching only one permit rule can be transmitted.

Handling Process

Upgrade the ARs at both ends to V200R002 or later.

Root Cause

1.  The ACL bound to the IPSec policy defines a deny rule. RouterA of V200R001C01SPC500 does not support the deny rule and discards packets matching the deny rule by default. After the deny rule is deleted, the fault is rectified.
V200R002 does not use IPSec to encapsulate packets matching the deny rule and does not discard such packets.

2.  There are differences between versions. One end uses V200R001, and the other end uses V200R002. In V200R001, an SA is negotiated based on the ACL number. In V200R002, an SA is negotiated based on the ACL rule. Therefore, one SA is negotiated on the AR of V200R001, and four SAs are negotiated on the AR of V200R002. In this case, only traffic matching one ACL rule can be transmitted. After the AR is upgraded to V200R002, the fault is rectified.


There are feature differences between versions. It is recommended that connected devices use the same version.