Table of Contents
Advertisement
Huawei AR2200-S Series Enterprise Routers
Troubleshooting
Field
ESP Protocol
If the settings of IPSec proposals at both ends of the IPSec tunnel are the same and ESP is used,
go to step 5.
Step 5 Check whether the settings of IPSec policies at both ends of the IPSec tunnel match.
Check
Item
IPSec
negotiati
on mode
Diffie-
Hellman
(DH)
group
If the settings of IPSec policies at both ends of the IPSec tunnel match, go to step 6.
Step 6 Check whether the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror
each other.
Run the display acl command on the Router. If the following information is displayed, the ACLs
referenced by IPSec policies at both ends of the IPSec tunnel mirror each other.
# Display the ACL configuration on RouterA.
<Router A>display acl 3101
Advanced ACL
Acl's step is 5
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
# Display the ACL configuration on RouterB.
<Router B>display acl 3101
Advanced ACL
Acl's step is 5
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
l
Issue 01 (2012-01-06)
Check Standard and Operation
The authentication algorithm and encryption algorithm used by the ESP
protocol at both ends must be the same. If not, run the ah authentication-
algorithm { md5 | sha1 } command to change the authentication algorithm
or run the esp encryption-algorithm [ 3des | des | aes-128 | aes-192 |
aes-256 ] command to change the encryption algorithm.
NOTE
If an IPSec policy template is used, you can choose to configure ACLs. If the ACLs are configured, ensure
that the ACLs at both ends mirror each other.
You are advised not to configure ACLs if an IPSec policy template is used.
Check Standard and Operation
Run the display ipsec policy brief command to view the Mode field. If the IPSec
negotiation modes at both ends are different, run the ipsec policy isakmp
command to change the IPSec negotiation modes to be the same.
If PFS is specified on the local device, PFS must be specified on the remote device.
The two ends must use the same DH group; otherwise, IKE negotiation fails. Run
the display ipsec policy command to view the Perfect Forward Secrecy field.
If the DH groups at both ends are different, run the pfs { dh-group1 | dh-
group2 } command to change the DH groups to be the same.
3101, 1 rule
3101, 1 rule
If the ACLs referenced by IPSec policies at both ends of the IPSec tunnel do not mirror
each other, modify the configuration according to Huawei AR2200-S Series Enterprise
Routers Configuration Guide - IPSec.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12 VPN
370
Advertisement
Table of Contents
Troubleshooting
