NOTE
If IKEv1 is used at both ends, run the
display ike sa
command to view information about IKE SAs. If
IKEv2 is used at both ends, run the
display ike sa
v2
command to view information about IKE SAs.
l
If the IPSec SA and IKE SA are established successfully, go to step 2.
l
If the IPSec SA fails to be established but the IKE SA is established successfully, go to
step 4.
l
If the IKE SA fails to be established, go to step 8.
Step 2
Check whether data flows protected by the IPSec tunnel can be forwarded by a specified
interface.
Ensure that outgoing data flows are sent by the interface to which the IPSec policy is applied.
The operations are as follows:
l
Run the
display ip routing-table
command on both devices to view the routes to each other.
Check whether the outbound interface in a route with a reachable next hop is the specified
interface. If the outbound interface is not the specified interface, modify the routing
configuration according to
Huawei AR2200-S Series Enterprise Routers Configuration
Guide - IP Routing
.
l
Run the
display arp
command on both devices to check whether the interface in the ARP
entry matching the peer IP address is the specified interface. If not, run the
reset arp
command to delete the ARP entry from the ARP mapping table.
If data flows protected by the IPSec tunnel are forwarded by a specified interface, go to step 3.
Step 3
Check whether data flows match the ACL.
Analyze the source and destination IP addresses and port numbers of data flows to check whether
the data flows match the ACL referenced by the IPSec policy.
l
If the data flows do not match the ACL, they cannot enter the IPSec tunnel. Instead, the
data flows are forwarded directly. To modify the matching rule, see
Huawei AR2200-S
Series Enterprise Routers Configuration Guide - IPSec
.
l
If the data flows match the ACL, go to step 10.
Step 4
Check whether the settings of IPSec proposals at both ends of the IPSec tunnel are the same.
Run the
display ipsec proposal
command on both devices to check the following fields.
Field
Check Standard and Operation
IPsec
Proposal
Name
The IPSec proposals bound to IPSec policies at both ends must be the same.
If not, run the
ipsec proposal
command to change the IPSec proposal names
to be the same.
Encapsulatio
n Mode
The encapsulation modes must be the same. If not, run the
encapsulation-
mode
{
transport
|
tunnel
} command to change the encapsulation modes
to be the same.
Transform
The IPSec protocols must be the same. If not, run the
transform
{
ah
|
esp
|
ah-esp
} command to change the IPSec protocols to be the same.
AH Protocol
The authentication algorithms used by the AH protocol must be the same. If
not, run the
ah authentication-algorithm
{
md5
|
sha1
} command to change
the authentication algorithms to be the same.
Huawei AR2200-S Series Enterprise Routers
Troubleshooting
12 VPN
Issue 01 (2012-01-06)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
376