Issue Description:
Customer configuration the dsvpn with ipsec over same source interface.But ike can’t up, ike output as bellow:
<ARrouter1>dis ike sa
Conn-ID Peer VPN Flag(s) Phase
----------------------------------------------------------------------------------------------
1381 0.0.0.0:0 NEG|A v1:1
Number of IKE SA : 1
----------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG—NEGOTIATING
HUB:AR1200 V200R007C00SPCc00 ARV200R007SPH012
SPOKE:AR150 V200R009C00SPC300 ARV200R009SPH002
Alarm Information:
N/A
Handling Process:
Ask customer debug the ipsec and
ike packets.
terminal monitor
terminal debugging
debug ipsec all
debug ike all
then we found the debug information:
<HQ-H>Nov 17 2017 17:03:26.450.5+00:00 HQ-H IKE/7/IKE_Debug Info:5:2607 IKE check ike peer same, get ike peer name (peer-name = ipsec1, ifindex = 18).
<HQ-H>Nov 17 2017 17:03:26.450.6+00:00 HQ-H IKE/3/IKE_Debug Error:5:2628 IKE check ike peer same, the binding ike peer is different(ifindex = 27, peer name = ipsec3).
The error is IKE check ike peer same, the binding ike peer is different, then we check the configuration of ipsec
interface Tunnel0/0/100
ip address 100.17.1.1 255.255.255.0
tunnel-protocol gre p2mp
source vpn-instance test 1.1.1.1
ipsec profile ipsec3
interface Tunnel0/0/0
mtu 1360
ip address 10.17.1.1 255.255.255.0
tunnel-protocol gre p2mp
source vpn-instance test 1.1.1.1
ipsec profile ipsec1
ipsec profile ipsec1
ike-peer ipsec1
proposal pro1
ipsec profile ipsec3
ike-peer ipsec3
proposal pro3
In this scenes need configuration ipsec profile use the same ike peer. And from the hub need configuration the ike identity.
From Hub:
ike identity i1
fqdn spoke1
ike identity i2
fqdn spoke2
ipsec profile ipsec1
ike-peer ipsec1
proposal pro1
match ike-identity i1
ipsec profile ipsec2
ike-peer ipsec1
proposal pro2
match ike-identity i2
From spoken1:
ike peer ipsec1
undo version 2
pre-shared-key cipher xxx
ike-proposal 1
local-id-type fqdn
local-id spoke1
dpd type periodic
dpd idle-time 40
From spoken2:
ike peer ipsec2
undo version 2
pre-shared-key cipher xxxx
ike-proposal 1
local-id-type fqdn
local-id spoke2
dpd type periodic
dpd idle-time 40
And also the same gre source tunnel need configuration the gre key to distinguish the difference peer.
interface Tunnel0/0/0
gre key cipher AAA
interface Tunnel0/0/100
gre key cipher BBB
After that done, Dsvpn over ipsec working normal.
Root Cause:
Because customer configuration the ipsec with same source, so need configuration the ike identity and the gre password.
Solution:
Configuration the ike identity and the gre password.
Suggestions:
Configuring an Identity Filter Set link like as bellow: http://support.huawei.com/hedex/pages/EDOC1000085855AEG05127/12/EDOC1000085855AEG05127/12/resources/dc/dc_cfg_ipsec_0067.html?ft=0&fe=10&hib=7.3.10.7.7.4.5&id=dc_cfg_ipsec_0067&text=(Optional)%20Configuring%20an%20Identity%20Filter%20Set&docid=EDOC1000085855
