![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-1](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/153230o24hm6vxr8mw2km0.jpg)
when router established ipsec vpn with oppsite device correctly,and ping from 192.168.9.253 to 192.168.14.10 is normal,but telnet between these two terminal devices is abnormal.
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-2](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/153407udmh8sxs02xxhm8t.jpg)
ping from 192.168.9.253 to 192.168.14.10 is success.
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-3](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/153420c2tzrrgxzcir3r2c.jpg)
telnet 192.168.14.10 on R1 failed.
1.since the ping is normal,it proves that network connection between two IPSec devices is regular.It's probably caused by traffic policy or ACL.
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-4](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/153833ats7mb2febt17tu8.jpg)
only two ACL on the router,check the configuration to find out where have these two ACL been used.
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-5](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/154252oekezr3wkdvr0py1.jpg)
ACL 3001 is used in nat outbound,
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-6](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/154353cbsafokuakranka3.jpg)
acl 3002 is used in ipsec policy.
since acl 3001 denys traffic between network 192.168.9.0 and 192.168.14.0,and acl 3001 is used in nat outbound,this only result in not translating traffic from 192.168.9.0 to 192.168.14.0,
acl 3002 used in ipsec policy,it permits ipsec to encrypting traffic between 192.168.9.0 and 192.168.14.0.
since ipsec tunnel will encrypt traffic between network 192.168.9.0 and 192.168.14.0,let's check if the ipsec tunnel works fine.
packet count before and after command "telnet 192.168.14.10 80" being executed are same
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-7](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/160608r35dwd3ja22a339z.jpg)
but when ping being executed,the packe count increased to 5,![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-8](https://forum.huawei.com/enterprise/en/huawei/static/image/lazy_loading.gif)
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-8](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/160837w9l9974y4msm12ml.jpg)
this matchs the number of ICMP packet sended by R1.
It seems that router didn't encrypt the telnet traffic,but encrypted ping traffic.
router may have different forwarding path between encrypted and unencrypted traffic.
checking routing-table of the router,
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-9](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/162210xkmxpk11quok940d.jpg)
we find that all traffics to network 192.168.14.0 are forwarded to AR1(172.16.12.1)
checking interface g0/0/1 configuration on AR1, we find traffic-policy has been implemented,check this traffic-policy
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-10](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/163315dsr8ivbfvmz7cmqv.jpg)
this traffic policy will lead all the traffic,those without matching rule 5 of acl 3003,to the 10.1.12.2,
It seems that this cause telnet traffic from R1 not reaching to server1,to make sure this,capturing packets on interface g0/0/1 on AR1,
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-11](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/164052znw7uuh3181kpq7u.jpg)
here we find something interesting,the source IP address of the telnet traffic has been translated to 172.16.12.2,this makes the telnet traffic forwarded to the 10.1.12.2 and results in telnet abnormal.
So,delete this traffic policy can solve this problem,but before taking this action,we should be allowed by custormer.
To figure out what the traffic policy is used for,we confirm with the user what this traffic policy is used for.We are told that this traffic policy is used to distinguish traffic,router will forward traffic,which with source IP address 192.168.9.0 and destination IP address 192.168.14.0,to server1,the rest part of traffic to 10.1.12.2,
So this traffic policy is necessary and can't be deleted.
with noticing that the telnet traffic source IP address translated to 172.16.12.2,let's check AR2 configuration.
![[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-12](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/24/154252oekezr3wkdvr0py1.jpg)
With configuration on the interface g0/0/1,we noticed that nat server has been configured.Since nat server will check if the IP address matchs,but it doesn't check whether the port-number matchs,so when AR2 telnet AR1,router translate the source IP address to 172.16.12.2,this makes IPSec ignoreing the telnet traffic,and router send telnet traffic to AR1 directlly,then AR1 forward these traffic to 10.1.12.2,at last,result in telnet failure.
Ping is normal because of Ping base on IP,not TCP protocol.
What's more,we can learn that router decrypt IPSec traffic before executing traffic policy,cause if it's not like this,ping cann't be success.
With finding the problem,it's easy to fixing the problem.
replace nat server with nat static
nat static protocol tcp global current-interface 2000 inside 192.168.9.253 2000
do some test,it works with ping and telnet.
At last,what is the diffrence between nat server and nat static?
nat static and nat static are quite same when traffic direction is inward,but there is a little diffrence when traffic direction is outward.When configuring with nat server,router checks only if the IP address matchs,but when configuring with nat static,router checks IP address and portnumber both,this makes them quite different during forward traffic outwards.
if you find any errors in this post,plz figure it out,and it's pleasure to see you guys sharing your thoughts~