Got it

AR3260 ipsec vpn cannot work normally Highlighted

Latest reply: Sep 30, 2018 13:47:47 1316 4 9 0 0

Issue Description

the AR3260 dynamically obtains an IP address through PPPoE to access the Internet and establishes ipsec vpn with HQ. However, traffic fails to be forwarded.

ipsec sa indicates that the tunnel is set up successfully but services are unavailable.

Handling Process

1. Run the display ipsec sa command on the AR3260 to check tunnel information. The command output is as follows:

  ===============display ipsec sa===============

Interface: Dialer1
 Path MTU: 1500

  IPSec policy name: "vpn"
  Sequence number  : 1
  Acl group        : 3000
  Acl rule         : 5
  Mode             : ISAKMP
    Connection ID     : 46
    Encapsulation mode: Tunnel
    Tunnel local      : x.x.x.x (Cutomer ip)
    Tunnel remote     : x.x.x.x (Cutomer ip)
    Flow source       : 0/0
    Flow destination  : 0/0
    Qos pre-classify  : Disable
    Qos group         : -

    [Outbound ESP SAs] 
      SPI: 877040047 (0x344691af)
      Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887415920/1899
      Outpacket count       : 346    #we can see there are packets sent out
      Outpacket encap count : 346
      Outpacket drop count  : 0
      Max sent sequence-number: 346
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 2407331406 (0x8f7cf64e)
      Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436800/1899
      Inpacket count        : 0     #but there isn't packet received
      Inpacket decap count  : 0
      Inpacket drop count   : 0
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

 2. Check the security policy and configuration of the firewall at HQ

The service security policy and encrypted stream are correctly configured. Packets are forwarded, but the specified service packet is not captured.

3. Check the AR ike configuration found that didn't configure nat traversal

Root Cause

In the ipsec vpn, the TCP port in the esp packet has been encrypted and cannot be modified. For the NAT that translates the port, ESP cannot be supported. The IP address dynamically obtained by PPPoE is a private IP address. Port-based NAT is configured at the egress. Therefore, packets cannot be forwarded and the firewall cannot receive data.


Add nat traversal to ike peer that means enable NAT traversal for ipsec vpn.

ike xx

nat traversal




  • x
  • convention:

Created Sep 29, 2018 01:49:01

hi , can you share what's the characteristic i can judge this issue with not configure NAT traversal ?
View more
  • x
  • convention:
Created Sep 29, 2018 06:06:08

I have encountered this question about you. I have checked a lot of information, but I still have not answered this question clearly. Thank you for sharing this knowledge and solving my doubts. I hope that you can continue to update such knowledge points. Thank you. !AR3260 ipsec vpn cannot work normally-2765147-1AR3260 ipsec vpn cannot work normally-2765147-2
View more
  • x
  • convention:

Created Sep 30, 2018 08:36:01

This is a good case, After the packet reaches AR, it matches the traffic of interest on the IPSec VPN, so the message is encrypted, hashed, then nested on the head of ESP, and the new IP header is encapsulated. The processed packets are sent to the public network, transferred to the Nat-device, although the nat-device on the deployment of NAT Server port mapping, but the received packet is an IP packet, the IP header behind the head of the ESP, no UDP header, It is impossible for a NAT device to convert the message into an address and throw it to the FW, so the message will be discarded by Nat-device. This led to the Ipsecvpn tunnel has been established, but the protection of traffic between sites can not exchange visits.
View more
  • x
  • convention:

Created Sep 30, 2018 13:47:47

This post was last edited by yangyong at 2018-10-31 07:43. IPSec can be applied to Layer 3 physical interfaces, VLANIF interfaces, Layer 2 interfaces, tunnel interfaces, subinterfaces, and dialer interfaces.
1. Apply an IPSec policy on a Layer 3 physical interface.
system-view //Access the system view.
interface interface-type interface-number //Access the physical interface.
ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy.
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.