No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An IPsec Tunnel Is Set Up on an NE20E-S But Services Fail to Be Forwarded

Publication Date:  2019-04-11 Views:  21 Downloads:  0
Issue Description

Device model: NE20E-S4
Software version: V800R008C10SPC500
Symptom: An IPsec tunnel is set up on an NE20E-S, but services fail to be forwarded.

Handling Process

1. Run the display ipsec sa command to check the IPsec SA information. It is found that the IPsec tunnel has been set up and flow negotiation is complete.

2. Run the display ipsec statistics command to check IPsec statistics. It is found that the number of encryption packets in the output direction is 0.

3. Check ACL configurations to check whether a traffic filter policy is configured and the flows to be encapsulated are not successfully transmitted to the IPsec tunnel.
It is found that an ACL that has the same IPsec flow but a deny action exists.

4. Check the routes in the ipsec flow source network segment. It is found that a traffic policy matching ACL 3001 is configured on the interface.

Root Cause

A traffic policy is configured on the NE20E interface that transmits routes in the ipsec flow source network segment, and the data flows to be encrypted are discarded.
For NE series routers, traffic hitting an ACL is discarded so long as the ACL action is deny.

Solution

Create a pair of classifiers and behaviors in the traffic policy, with the ACL action set to permit in the traffic classifiers and traffic behaviors.
This allows NAT not to be implemented for the IPsec data flows to be encrypted.

Detailed configuration is as follows:
acl number 3000
 rule 5 permit ip source 172.16.0.0 0.0.15.255 destination 172.16.16.0 0.0.15.255
#              
acl number 3001
 rule 0 permit ip source 192.168.0.0 0.0.255.255
 rule 2 permit ip source 172.16.0.0 0.0.15.255
#
traffic classifier c0 operator or
 if-match acl 3000
#
traffic classifier c1 operator or
 if-match acl 3001
#
traffic behavior b0
 permit
#
traffic behavior b1
 nat bind instance nat1
#
traffic policy p1
 classifier c0 behavior b0 precedence 1
 classifier c1 behavior b1 precedence 2
#

END