Field Check Standard and Operation
ESP Protocol The authentication algorithm and encryption algorithm used by the ESP
protocol at both ends must be the same. If not, run the esp authentication-
algorithm [ md5 | sha1 ] command to change the authentication algorithm
or run the esp encryption-algorithm [ 3des | des | aes-128 | aes-192 |
aes-256 ] command to change the encryption algorithm.
If the settings of IPSec protocols at both ends are the same, go to step 5.
Step 5 Check whether the automatic mode of triggering ISAKMP SAs is used.
Run the display ipsec policy command on the remote device to check whether the value of SA
trigger mode is Automatic. If the IPSec policy on the local device is configured by using an
IPSec policy template or the traffic-based triggering mode is used, the local device does not
initiate negotiation. The remote device must initiate negotiation and the automatic mode must
be used.
l If the automatic mode is not used, run the sa trigger-mode auto command to change the
mode.
l If the automatic mode is used, go to step 6.
Step 6 Check whether the settings of IPSec policies at both ends of the IPSec tunnel match.
Check
Item
Check Standard and Operation
Whether
acls at
both
ends can
mirror
eath
other
NOTE
If an IPSec policy template is used, you can choose to configure ACLs. If the ACLs are
configured, ensure that the ACLs at both ends mirror each other.
You are advised not to configure ACLs if an IPSec policy template is used.
If ACLs are configured, run the display acl command on both Routers. If the
following information is displayed, the ACLs referenced by IPSec policies at both
ends of the IPSec tunnel mirror each other.
# Display the ACL configuration on Router A.
<Router A>display acl 3101
Advanced ACL 3101, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
# Display the ACL configuration on Router B.
<Router B>display acl 3101
Advanced ACL 3101, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
If the ACLs do not mirror each other, change the ACL at the remote end.
Diffie-
Hellman
(DH)
group
If PFS is specified on the local device, PFS must be specified on the remote device.
The two ends must use the same DH group; otherwise, IKE negotiation fails. Run
the display ipsec policy command to view the Perfect Forward Secrecy field.
If the DH groups at both ends are different, run the pfs { dh-group1 | dh-
group2 } command to change the DH groups to be the same.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting 12 VPN
Issue 01 (2012-01-06) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
363
To Next Page
Loading...
