Device model: NE20E-S4
Software version: V800R008C10SPC500
Symptom: An IPsec tunnel is set up on an NE20E-S, but services fail to be
Run the display ipsec sa command to
check the IPsec SA information. It is found that the IPsec tunnel has been set
up and flow negotiation is complete.
Run the display ipsec statistics command
to check IPsec statistics. It is found that the number of encryption packets in
the output direction is 0.
Check ACL configurations to check whether a traffic filter policy is configured
and the flows to be encapsulated are not successfully transmitted to the IPsec
It is found that an ACL that has the same IPsec flow but a deny action exists.
Check the routes in the ipsec flow
source network segment. It is found that a traffic policy matching ACL 3001
is configured on the interface.
A traffic policy is configured on the NE20E interface that transmits
routes in the ipsec flow source network
segment, and the data flows to be encrypted are discarded.
For NE series routers, traffic hitting an ACL is discarded so long as the ACL
action is deny.
Create a pair of classifiers and behaviors in the traffic policy, with the
ACL action set to permit in the
traffic classifiers and traffic behaviors.
This allows NAT not to be implemented for the IPsec data flows to be encrypted.
Detailed configuration is as follows:
acl number 3000
rule 5 permit ip source 172.16.0.0 0.0.15.255 destination 172.16.16.0
acl number 3001
rule 0 permit ip source 192.168.0.0 0.0.255.255
rule 2 permit ip source 172.16.0.0 0.0.15.255
traffic classifier c0 operator or
if-match acl 3000
traffic classifier c1 operator or
if-match acl 3001
traffic behavior b0
traffic behavior b1
nat bind instance nat1
traffic policy p1
classifier c0 behavior b0 precedence 1
classifier c1 behavior b1 precedence 2