No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

IPsec Tunnel is up, but traffic isn't passing through the tunnel

Publication Date:  2019-07-19  |   Views:  1564  |   Downloads:  0  |   Author:  m84068533  |   Document ID:  EKB1000714089

Contents

Issue Description

Customer was having problems with an IPsec Site-to-Site Tunnel. The tunnel is up, but it is not passing any traffic. The issue appeared on an AR109W, the other device was a PaloAlto Firewall on which the tunnel appeared to be up. The traffic which should be going over the tunnel, was instead being sent over the internet.



Handling Process

After analyzing the information provided, we realized that the router haa a wrong configuration about the NAT’s ACL. When the traffic went through the router, it was doing the NAT first, then the traffic’s source IP address changed to the Interface Dialer’s IP.

After the router did the NAT, the traffic wasn't be able to enter the IPsec VPN, because it couldn't hit the security ACL established for IPsec.

We suggested the customer to change the basic ACL into an extended ACL and apply it on the Dialer Interface and the issue was solved.

acl 3500 
rule 4 deny ip source x.x.x.x y.y.y.y destination x.x.x.x y.y.y.y

rule 5 permit ip

[Huawei]interface Dialer1

[Huawei-dialer1]undo nat outbound 2999
[Huawei-dialer1]nat outbound 3500

Solution

We suggested the customer to change the basic ACL into an extended ACL and apply it on the Dialer Interface and the issue was solved.

acl 3500 
rule 4 deny ip source x.x.x.x y.y.y.y destination x.x.x.x y.y.y.y

rule 5 permit ip

[Huawei]interface Dialer1

[Huawei-dialer1]undo nat outbound 2999
[Huawei-dialer1]nat outbound 3500