Failing To Establish An Ipsec Tunnel; Acl Configuration Error - HP 5500 HI Series Configuration Manual
Security
Hide thumbs
Also See for 5500 HI Series:
- Installation manual (72 pages) ,
- Compliance and safety manual (62 pages) ,
- Quickspecs (35 pages)
Table of Contents
Advertisement
Solution
For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2,
check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether
the referred IPsec proposals have a match in protocol, encryption and authentication algorithms.
Failing to establish an IPsec tunnel
Symptom
The expected IPsec tunnel cannot be established.
Analysis
Sometimes this may happen that an IPsec tunnel cannot be established or there is no way to
communicate in the presence of an IPsec tunnel in an unstable network. According to examination results,
however, ACLs of both parties are configured correctly, and proposals are also matched.
In this case, the problem is usually caused by the reboot of one router after the IPsec tunnel is established.
Solution
Use the display ike sa command to check whether both parties have established an SA in phase 1.
•
Use the display ipsec sa policy command to check whether the IPsec policy on the interface has
•
established IPsec SA.
If the two commands show that one party has an SA but the other does not, use the reset ipsec sa
•
command to clear the IPsec SA that has no corresponding SA, use the reset ike sa command to
clear the IKE SA that has no corresponding IKE SA, and trigger SA re-negotiation.
ACL configuration error
Symptom
ACL configuration error results in data flow blockage.
Analysis
When multiple devices create different IPsec tunnels early or late, a device may have multiple peers. If the
device is not configured with ACL rule, the peers send packets to it to set up different IPsec tunnels in
different protection granularity respectively. As the priorities of IPsec tunnels are determined by the order
they are established, a device cannot interoperate with other peers in fine granularity when its outbound
packets are first matched with an IPsec tunnel in coarse granularity.
Solution
When a device has multiple peers, configure ACLs on the device to distinguish different data flows and
try to avoid configuring overlapping ACL rules for different peers. If it is unavoidable, the subrules in fine
granularity should be configured with higher preferences.
300
- Quick Links:
- Configuration Guide
- Configuring Aaa
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
