Fault symptom: Both devices display that there are no encrypted packets Both of them have configured permit rule for traffic in both way on public IP addresses.
USG Version : V500R001C30SPC100
AR Version : V200R007C00SPCb00
Configuration script :
ipsec proposal prop18411381877
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
ike proposal 1
We asked the diagnostic file from both devices and reproduce it in the lab.
After we reproduced the configuration, we found some issues : ACL 2999 doesn’t deny the traffic that secures the IPsec VPN, because AR router does NAT first
we need to configure the command " ipsec authentication sha2 compatible enable " on the local device. If the command is not configured on the local device, service transmission will be interrupted.
After we reproduced the configuration, we found some issue:
Customer configured IPsec and NAT together under the port:
tcp adjust-mss 1200
ip address x.x.127.86 255.255.255.252
nat outbound 2999
ipsec policy POLICY1
ACL 2999 doesn’t deny the traffic that secures the IPsec VPN, because AR router does NAT first, then the IP of the traffic will be changed by NAT, so the traffic cannot enter through the IPsec VPN.
Also the ACL 2999 is a basic ACL, it just supports deny the whole source IP addresses. We can change the ACL number to advance ACL, like 3100. Then, we can deny the traffic that secure by IPsec VPN.
1. Modify the configuration as below:
[Huawei-acl-adv-3100] rule 5 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.0.0 0.0.3.255
[Huawei-acl-adv-3100]rule 10 permit ip
The IPsec used SHA2, so please used that command “ipsec authentication sha2 compatible enable”.
When the IPSec protocol uses the SHA-2 algorithm and the device at the remote end of the IPSec tunnel is other vender device, we need to configure this command on the
local device. If the command is not configured on the local device, service transmission will be interrupted.