National Research and Education Network
Education Cloud Data Center
Multi-Channel HD Telemedicine Solution
Over The Top/Multi-Tenant Data Center (OTT/MTDC)
Internet Exchange Point (IXP)
Internet Access Provider (IAP)
Design & Simulation
Planning & Analytics
Oil & Gas IoT
HPC & Operations Management
Digital Urban Rail
Retail Cloud Platform
Enterprise Data Center
Enterprise Cloud Communications
Network Management System
Buy from Huawei
If you want to get more information about your project, you can submit your information and we will contact you as soon as possible.
If your company has signed an eDeal contract with Huawei, please buy your required product/solution via the link below.
Buy from resellers
Search for a nearby reseller and get direct contact information.
Become a Partner
Resources and Support
Huawei Authorized Learning Partner
Huawei Authorized Information and Network Academy
the topology just like below:
The customer configure site-to-site IPSec between the USG6370 and Juniper SSG, after finish the configuration,the IPSec can't been up.
When the customer collect the debug information of the USG6370, it shows as below:
it means that the IKE SA Phase1 not been established
1.We checked the routing table, there exist the routing to the peer device and it can ping
2.We checked the USG6370 security policy, the interface which enable the IPSec have been add to the zone and the security policy is ok
3.We checked the configuration of the IPSec.
We compared the parameter of IPSec with the Juniper SSG, we found that the security ACL is not mismatch.
after modify the ACL, the IPSec have been established between the USG6370 and the SSG,but the service still not work.
then we found that the USG6370 used the private IP to connect with the peer device,we collect the packets on the USG6370,
it shows the source port and destination port have been changed to 4500, just as below:
As we know that the USG6370 have been enable the NAT-Traversal by default,so we ask the customer check the peer device Juniper SSG configuration.
After the Juniper enable the NAT-Traversal, the service have been OK.
the two device IPSec parameter not same, such as the security ACL and the NAT-Traversal.
when configure the Site-to-Site IPSec between the USG and the other company device, the IPSec parameter must been same.
Some configuration is the default configuration on the USG but on the other company device it not configure.