H3C SecPath F1800-A Operation Manual page 560

Operation Manual - VPN
H3C SecPath F1800-A Firewall
Fault 1: Invalid user ID information
Troubleshooting:
User ID is the data that users who initiate IPSec communication used to identify
themselves. In the actual application, you can protect data streams by creating
different security channels through user ID. At present, users identify themselves by
their IP addresses.
Display debugging information:
got NOTIFY of type INVALID_ID_INFORMATION
or
drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION
Check whether the ACL in the IPSec policy on the two interfaces of negotiation ends
are compatible. It is recommended that you set the ACLs on both ends as mutual
mirroring.
For ACL mirroring in detail, refer to "ACL Configuration" in IPSec configuration.
Fault 2: Unmatched proposals
Troubleshooting:
Display debugging information:
got NOTIFY of type NO_PROPOSAL_CHOSEN
or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
Two parties of negotiation have no matched proposals.
At the first stage of negotiation, check whether there are IKE proposals matched with
the peer.
At the second stage of negotiation, check:
Whether the IPSec policy parameters applied on the interfaces of two parties are
matched
Whether the protocol, encryption algorithm and authentication algorithm are
matched
Fault 3: Unable to establish security channel
Troubleshooting:
Check whether:
The network is stable.
The security channel is created correctly.
Communication still fails even if there is a security channel.
ACLs of both parties are correctly configured.
There is matched policy.
In this case, the problem is usually caused by the restart of one router after the
security channel is created.
7-80
Chapter 3 IPSec Configuration