No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


The USG6330 Failed to Establish an IPSec over GRE Tunnel with the NE40E

Publication Date:  2015-11-02 Views:  1337 Downloads:  0
Issue Description
The NE40E functions as the headquarters gateway. IPSec is configured in template mode. The USG6330 functions as a branch gateway. The USG6330 fails to establish an IPSec over GRE tunnel with the NE40E, but the gateway firewalls at other branches can establish IPSec over GRE tunnels with the NE40E.
Handling Process
Step 1 Check whether IPSec parameters on both ends are consistent.

Default parameters on the headquarters NE40E cannot be displayed. Therefore, you need to compare the IPSec parameters of other branches. The comparison result indicates that:
The IKE proposal of a reachable branch is as follows:

ike proposal 10 
encryption-algorithm aes-cbc 256

The IKE proposal of an unreachable USG6330 is as follows:

ike proposal 10 
encryption-algorithm aes-cbc 128

The encryption algorithms in the IKE proposals are different. Then change the encryption algorithm of the IKE proposal on the USG6330 to encryption-algorithm aes-cbc 256.

Step 2 After the encryption algorithm is changed, the problem persists. The comparison finds all the other parameters consistent. Therefore, display the session table or enable debugging for further diagnosis.

<USG6300>display firewall session table verbose destination-port 500
15:26:21  2015/04/29
Current Total Sessions : 1
udp  VPN:public --> public  ID: a48f3fd220f307ccb5540f049
Zone: local--> untrust  TTL: 00:02:00  Left: 00:01:47  
Output-interface: GigabitEthernet1/0/0  NextHop:  MAC: e4-68-a3-53-8d-e0
  <--packets:171 bytes:28856   -->packets:171 bytes:41696[]-->

The session table indicates that when the USG6330 attempts to establish an IPSec tunnel, port 500 is translated to port 2050. Because of this, the IPSec tunnel cannot be establsihed. Check the USG6330 configurations. An unnecessary NAT policy is found. Actually, the customer does not need to access the Internet, and the NAT policy is unnecessary. After this NAT policy is deleted, the IPSec over GRE tunnel can be established.

rule name GuideNat1429872189263 
egress-interface GigabitEthernet1/0/0 
action nat easy-ip

Root Cause
A NAT policy is configured on the USG6330. Therefore, the source port of the IPSec tunnel is translated to another port.
If the NAT policy is not required, delete it to resolve the problem.

If the intranet needs to access the Internet and a NAT policy is mandatory, you are advised to specify the zone and source address when configuring the NAT policy.
Apart from IPSec parameter inconsistency, the NAT or routing policy is also a common cause of IPSec tunnel failure. After verifying IPSec parameters, you can display the session table or enable debugging to further diagnose the fault.