Product: Eudemon8000E  V200R001C01SPC600 

Hi, we are migrating from Juniper to Huawei products. I am sharing a case study where we observed problem and its rectification shared by GTAC.

In Juniper firewalls when you configure a Site to Site policy based IPSEC vpn, you use address sets to match multiple sources and multiple destinations from which traffic will be encrypted and carried over IPSEC.

In Huawei below is example configuration to match interesting traffic. In Juniper if multiple sources and destinations are used in policy based IPSEC VPN then encryption domain during negotiations is 0.0.0.0. We thought same will be the case if used in Huawei so we used address sets in IPSEC VPN. (From below address sets where used in acl checkacl)

ipsec policy check 10 isakmp
 security acl checkacl

Solution:

Once we did that and firewall got a reboot. IPSEC VPN got lost. To fix that issue. Dont use address sets in security acl in Huawei. Only use basic acl with single source and single destination per rule in security acl.