NOTE
If IKEv1 is used at both ends, run the display ike sa command to view information about IKE SAs. If
IKEv2 is used at both ends, run the display ike sa v2 command to view information about IKE SAs.
l If the IPSec SA and IKE SA are established successfully, go to step 2.
l If the IPSec SA fails to be established but the IKE SA is established successfully, go to
step 4.
l If the IKE SA fails to be established, go to step 6.
Step 2 Check whether data flows protected by the IPSec tunnel can be forwarded by a specified
interface.
Ensure that outgoing data flows are sent by the interface to which the IPSec policy is applied.
The operations are as follows:
l Run the display ip routing-table command on both devices to view the routes to each other.
Check whether the outbound interface in a route with a reachable next hop is the specified
interface. If the outbound interface is not the specified interface, modify the routing
configuration according to Huawei AR2200-S Series Enterprise Routers Configuration
Guide - IP Routing.
l Run the display arp command on both devices to check whether the interface in the ARP
entry matching the peer IP address is the specified interface. If not, run the reset arp
command to delete the ARP entry from the ARP mapping table.
If data flows protected by the IPSec tunnel are forwarded by a specified interface, go to step 3.
Step 3 Check whether data flows match the ACL.
Analyze the source and destination IP addresses and port numbers of data flows to check whether
the data flows match the ACL referenced by the IPSec policy.
l If the data flows do not match the ACL, they cannot enter the IPSec tunnel. Instead, the
data flows are forwarded directly. To modify the matching rule, see Huawei AR2200-S
Series Enterprise Routers Configuration Guide - IPSec.
l If the data flows match the ACL, go to step 10.
Step 4 Check whether the settings of IPSec proposals at both ends of the IPSec tunnel are the same.
Run the display ipsec proposal command on both devices to check the following fields.
Field
Check Standard and Operation
IPsec
Proposal
Name
The IPSec proposals bound to IPSec policies at both ends must be the same.
If not, run the ipsec proposal command to change the IPSec proposal names
to be the same.
Encapsulatio
n Mode
The encapsulation modes must be the same. If not, run the encapsulation-
mode { transport | tunnel } command to change the encapsulation modes
to be the same.
Transform The IPSec protocols must be the same. If not, run the transform { ah | esp |
ah-esp } command to change the IPSec protocols to be the same.
AH Protocol The authentication algorithms used by the AH protocol must be the same. If
not, run the ah authentication-algorithm { md5 | sha1 } command to change
the authentication algorithms to be the same.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting 12 VPN
Issue 01 (2012-01-06) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
362
To Next Page
Loading...
