incoming decapsulated packets. The packets sent from PC A to PC B may not enter the
IPSec tunnel after being sent out from Router A.
2. Run the display ipsec sa policy command on Router A and Router B to check the
configuration of the IPSec SAs. Inbound and outbound IPSec SAs are generated at both
ends, the protocol types of the IPSec SAs at both ends are the same, and the SPIs, encryption
modes, and authentication keys at both ends match. The SAs are correct.
3. Run the display ipsec policy command to check the ACL referenced by the IPSec policy
on Router A. ACL 3101 is applied to Router A and Router B. Then run the display
acl3101 command to check the ACL rule. The ACLs at both ends are the same.
<Router A> display acl 3101
Advanced ACL 3101, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (0
ti
mes matched)
<Router B> display acl 3101
Advanced ACL 3101, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (0
ti
mes matched)
Procedure
Step 1 Run the system-view command on Router A to enter the system view.
Step 2 Run the acl 3101 command to enter the view of ACL 3101.
Step 3 Run the undo rule 5 and rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255 commands to ensure that the ACLs referenced by IPSec policies on Router A and
Router B mirror each other.
Step 4 Run the return command to return to the user view, and then run the save command to save the
configuration.
Step 5 After the preceding operations are complete, run the display ipsec statistics ah/esp command
to view the statistics. The fault is rectified.
----End
Summary
When deploying IPSec services, ensure that flows entering the IPSec tunnel match the ACLs
referenced by the IPSec policies and the ACLs referenced by IPSec policies at both ends of the
IPSec tunnel mirror each other.
Both Peers Cannot Negotiate the SA When an IPSec Policy Template Is Used
Fault Symptom
As shown in Figure 12-19, an IPSec policy is applied to GE1/0/0 on Router A and an IPSec
policy configured by using an IPSec policy template is used on Router B. The data flows
transmitted between PC A and PC B are protected and the tunnel is used to encapsulate IP
packets. After the configuration is complete, no SA is generated by using IKE negotiation.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting 12 VPN
Issue 01 (2012-01-06) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
380
To Next Page
Loading...
