NOTE
Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault,
you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check whether the interfaces at both ends of the IPSec tunnel can ping each other.
Run the undo ipsec policy command on the Router interfaces at both ends of the IPSec tunnel
to delete IPSec policies. Run the ping command to check whether the ping operation succeeds.
l If the ping operation fails, check whether there are routes to the peer ends in the routing
tables at both ends according to 7.1.1 The Ping Operation Fails.
l If the ping operation succeeds, there are reachable routes at both ends of the IPSec tunnel.
Reconfigure the IPSec policies on interfaces at both ends, and go to step 2.
Step 2 Check whether data flows protected by the IPSec tunnel can be forwarded by a specified
interface.
Ensure that outgoing data flows are sent by the interface to which the IPSec policy is applied.
The operations are as follows:
l Run the display ip routing-table command on both devices to view the routes to each other.
Check whether the outbound interface in a route with a reachable next hop is the specified
interface. If the outbound interface is not the specified interface, modify the routing
configuration according to Huawei AR2200-S Series Enterprise Routers Configuration
Guide - IP Routing.
l Run the display arp command on both devices to check whether the interface in the ARP
entry matching the peer IP address is the specified interface. If not, run the reset arp
command to delete the ARP entry from the ARP mapping table.
If data flows protected by the IPSec tunnel are forwarded by a specified interface, go to step 3.
Step 3 Check whether the settings of IPSec proposals at both ends of the IPSec tunnel are the same.
Run the display ipsec proposal command on both devices to check the following fields.
Field
Check Standard and Operation
IPsec
Proposal
Name
The IPSec proposals bound to IPSec policies at both ends must be the same.
If not, run the ipsec proposal command to change the IPSec proposal names
to be the same.
Encapsulatio
n Mode
The encapsulation modes must be the same. If not, run the encapsulation-
mode { transport | tunnel } command to change the encapsulation modes
to be the same.
Transform The IPSec protocols must be the same. If not, run the transform { ah | esp |
ah-esp } command to change the IPSec protocols to be the same.
AH Protocol The authentication algorithms used by the AH protocol must be the same. If
not, run the ah authentication-algorithm { md5 | sha1 } command to change
the authentication algorithms to be the same.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting 12 VPN
Issue 01 (2012-01-06) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
349
To Next Page
Loading...
