240
spi: 118757629 (0x71418fd)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
in use setting: Tunnel
connection id: 1
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/965
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
communication entity: Responder
status: --
Troubleshooting IKEv2
To troubleshoot IKEv2, use the following command to enable IKEv2 error debugging.
<Sysname> debugging ikev2 error
No matching IKEv2 proposal found
Symptom
The two peers find no matching IKEv2 proposal.
Analysis
At the IKE_SA_INIT exchange phase, two peers must have a matching IKEv2 proposal.
Solution
Verify that the IKEv2 proposals of the peers' IKEv2 policies have a set of matching algorithms,
including the encryption algorithm, integrity protection algorithm, PRF algorithm, and DH group.
IPsec tunnels cannot be set up
Symptom
In an unstable network environment, the expected IPsec tunnels cannot be set up or do not operate
correctly.
Analysis
If the two peers have the correct ACLs and a matching IKEv2 proposal, it is most likely that the
tunnels have been set up but the device at one end restarted, resulting in unmatched IKEv2 SAs or
IPsec SAs.
Solution
Use the display ikev2 sa command to check whether the expected IKEv2 SAs have been set up:
• If only one end has IKEv2 SAs, use the reset ikev2 sa command to clear the existing IKE SAs
and then trigger a new IKEv2 negotiation.
• If both ends have IKEv2 SAs and the IKEv2 SAs of the two ends match (established based on
the same IKEv2 negotiations), use the display ipsec sa command to verify that IPsec SAs
have been set up. If only one end has IPsec SAs, use the reset ipsec sa command to clear the
existing IPsec SAs and then trigger a new negotiation.
To Next Page
Loading...
Need help?
General
