No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


An IPsec Tunnel Is Set Up on an NE20E-S But Services Fail to Be Forwarded

Publication Date:  2019-04-11 Views:  66 Downloads:  0

Issue Description

Device model: NE20E-S4
Software version: V800R008C10SPC500
Symptom: An IPsec tunnel is set up on an NE20E-S, but services fail to be forwarded.

Handling Process

1. Run the display ipsec sa command to check the IPsec SA information. It is found that the IPsec tunnel has been set up and flow negotiation is complete.

2. Run the display ipsec statistics command to check IPsec statistics. It is found that the number of encryption packets in the output direction is 0.

3. Check ACL configurations to check whether a traffic filter policy is configured and the flows to be encapsulated are not successfully transmitted to the IPsec tunnel.
It is found that an ACL that has the same IPsec flow but a deny action exists.

4. Check the routes in the ipsec flow source network segment. It is found that a traffic policy matching ACL 3001 is configured on the interface.

Root Cause

A traffic policy is configured on the NE20E interface that transmits routes in the ipsec flow source network segment, and the data flows to be encrypted are discarded.
For NE series routers, traffic hitting an ACL is discarded so long as the ACL action is deny.


Create a pair of classifiers and behaviors in the traffic policy, with the ACL action set to permit in the traffic classifiers and traffic behaviors.
This allows NAT not to be implemented for the IPsec data flows to be encrypted.

Detailed configuration is as follows:
acl number 3000
 rule 5 permit ip source destination
acl number 3001
 rule 0 permit ip source
 rule 2 permit ip source
traffic classifier c0 operator or
 if-match acl 3000
traffic classifier c1 operator or
 if-match acl 3001
traffic behavior b0
traffic behavior b1
 nat bind instance nat1
traffic policy p1
 classifier c0 behavior b0 precedence 1
 classifier c1 behavior b1 precedence 2