l If the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other,
go to step 6.
Step 6 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding troubleshooting procedure
l Configuration files, log files, and alarm files of the AR2200-S
----End
Relevant Alarms and Logs
Relevant Alarms
None.
Relevant Logs
None.
12.2.2 SAs Fail to Be Established by Using IKE Negotiation
Common Causes
This fault is commonly caused by one of the following:
l The link is faulty.
l Data flows are not forwarded from a specified interface.
l Data flows do not match the ACL.
l The settings of IPSec proposals at both ends of the IPSec tunnel are different.
l The settings of IPSec policies at both ends of the IPSec tunnel do not match. For example,
the IPSec negotiation modes are different or the Perfect Forward Secrecy (PFS) settings
are different.
l The ACLs referenced by IPSec policies at both ends do not mirror each other.
l The settings of IKE proposals at both ends of the IPSec tunnel are different.
l The settings of IKE peers at both ends of the IPSec tunnel are different. For example, IKE
negotiation modes are different, IKE versions are incorrect, IP addresses of IKE peers do
not match, or names of IKE peers do not match.
Troubleshooting Flowchart
After being configured by using IKE negotiation, IPSec cannot protect data.
Figure 12-6, Figure 12-7, and Figure 12-8 show the troubleshooting flowcharts.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting 12 VPN
Issue 01 (2012-01-06) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
351
To Next Page
Loading...
