ARs configured with IPSec on two private networks cannot communicate with each other

9

The possible causes are as follows:
1. The public addresses of two IPSec-enabled ARs cannot be pinged.
2. There is an error in the data flow to be encapsulated with the IPSec header or both IPSec and NAT are performed for the same data flow. You can run the display acl all command to check ACL matching. If both IPSec and NAT are performed for the same data flow, use either of the following method to prevent data flow overlapping:
-Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec.
-The ACL rule referenced by IPSec matches the NAT-translated IP address.
3. The AR incorrectly learns private routes. The outbound interface of the route to the destination private network is not the public network interface enabled with IPSec.

Other related questions:
Reason why devices on two private networks cannot communicate after IPSec is configured on the AR
Devices on two private networks fail to communicate with each other after IPSec is configured. The possible causes are as follows: -The public addresses of two IPSec-enabled devices cannot be pinged. -There is an error in the data flow to be encapsulated with the IPSec header or both IPSec and NAT are performed for the same data flow. You can run the display acl all command to check ACL matching. If both IPSec and NAT are performed for the same data flow, use either of the following method to prevent data flow overlapping: -Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec. -The ACL rule referenced by IPSec matches the NAT-translated IP address. -The AR incorrectly learns private routes. The outbound interface of the route to the destination private network is not the public network interface with enabled IPSec.

Can two network segments that cannot communicate with each other be configured for two network ports of the VCN3000?
No. There can be only one VCN3000 service IP address. The two service network ports can be configured to work in active/standby or load balancing mode and show the same service IP address.

Method used to configure an IPSec tunnel on the AR for mutual access between branches
There are two ways of implementing communication between branches on Huawei AR routers. 1. Branches directly communicate with each other. In this case, implementing communication between branches through configuration of IPSec and DSVPN (not supported by the AR510). For details, see "Example for configuring IPSec-based DSVPN" of "DSVPN Configuration" in Configuration Guide - VPN. 2. Branches communicate with each other through the headquarters. For details, see "Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF)" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top