Got it

DSVPN + IPSec at one end only

Created: Jan 16, 2019 00:37:17Latest reply: Jan 17, 2019 18:09:07 758 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi,

I have many spokes-hub IPSec+DSVPN network. I have noticed that if a simple misconfiguration happens resulting that at one end (router) there is no ipsec profile command on the tunnel interface (regaldless if I refer to spoke-hub or spoke-spoke connection) there is still possible to comunicate. There are just no IPSec SAs obviously, but NHRP delivers with routes and traffic flows so connectivity is a fact.

My question is : Is there a way to ensure that if there is no ipsec profile command at the tunnel int of one end and there is ipsec profile at the other end's tunnel (of the hub for example or the other spoke)  the latter will somehow block the unencrypted traffic totaly ?

I tried ipsec decrypt check, but it seems to be a command for other scenarios.


It's a bit of an issue in terms of security and i failed in figuring out the solution so far.

Any advice welcome :)


Or maiby its a soft bug or something

The boxes are AR161, AR1220E - V200R009 with SPH012


Regard, Piotr

  • x
  • convention:

Featured Answers
grayfox
Created Jan 16, 2019 16:10:07

This is a bug which GTAC are already aware, as we've had this issue with a deployment recently.
View more
  • x
  • convention:

All Answers
Jessica_Tian
Jessica_Tian Created Jan 16, 2019 01:08:56

maybe there are no soluiton ...
View more
  • x
  • convention:

z00166320
z00166320 Created Jan 16, 2019 01:26:47

.We will strengthen the checkment in the R7SPH025 patch
View more
  • x
  • convention:

chenhui
chenhui Admin Created Jan 16, 2019 08:42:08

@z00166320 so, this is a bug of the software, right ?
View more
  • x
  • convention:

PiotrekRGC
PiotrekRGC Created Jan 16, 2019 08:59:39

Posted by z00166320 at 2019-01-15 19:26 .We will strengthen the checkment in the R7SPH025 patch
Hi,
Will this patch also available for V2R9 (you mentioned R7) ?
View more
  • x
  • convention:

grayfox
grayfox Created Jan 16, 2019 16:10:07

This is a bug which GTAC are already aware, as we've had this issue with a deployment recently.
View more
  • x
  • convention:

PiotrekRGC
PiotrekRGC Created Jan 17, 2019 18:09:07

Thanks for info.
Looking forward to releasing a new patch/upgrade
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.