establish DSVPN with IPSEC over same source interface

600 0 0 0

Issue Description:

       Customer configuration the dsvpn with ipsec over same source interface.But ike can’t up, ike output as bellow:

 

<ARrouter1>dis ike sa

   Conn-ID    Peer                  VPN                             Flag(s)               Phase

  ----------------------------------------------------------------------------------------------

   1381       0.0.0.0:0                                             NEG|A                 v1:1

 

  Number of IKE SA : 1

  ----------------------------------------------------------------------------------------------

  Flag Description:

  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

  M--ACTIVE   S--STANDBY   A--ALONE  NEG—NEGOTIATING

 

HUBAR1200 V200R007C00SPCc00 ARV200R007SPH012

SPOKEAR150 V200R009C00SPC300 ARV200R009SPH002

Alarm Information:

       N/A

 

Handling Process:

      
        Ask customer debug the ipsec and ike packets.

terminal monitor

terminal debugging

debug ipsec all

debug ike all

then we found the debug information

<HQ-H>Nov 17 2017 17:03:26.450.5+00:00 HQ-H IKE/7/IKE_Debug Info:5:2607 IKE check ike peer same, get ike peer name (peer-name = ipsec1, ifindex = 18).

 

<HQ-H>Nov 17 2017 17:03:26.450.6+00:00 HQ-H IKE/3/IKE_Debug Error:5:2628 IKE check ike peer same, the binding ike peer is different(ifindex = 27, peer name = ipsec3).

The error is IKE check ike peer same, the binding ike peer is different, then we check the configuration of ipsec

interface Tunnel0/0/100

ip address 100.17.1.1 255.255.255.0

tunnel-protocol gre p2mp

source vpn-instance test 1.1.1.1

ipsec profile ipsec3

 

interface Tunnel0/0/0

mtu 1360

ip address 10.17.1.1 255.255.255.0

tunnel-protocol gre p2mp

source vpn-instance test 1.1.1.1

ipsec profile ipsec1

 

ipsec profile ipsec1

ike-peer ipsec1

proposal pro1

 

ipsec profile ipsec3

ike-peer ipsec3

proposal pro3

In this scenes need configuration ipsec profile use the same ike peer. And from the hub need configuration the ike identity.

From Hub:

ike identity i1

 fqdn spoke1

ike identity i2

 fqdn spoke2

 

ipsec profile ipsec1

 ike-peer ipsec1

 proposal pro1

 match ike-identity i1

ipsec profile ipsec2

 ike-peer ipsec1

 proposal pro2

 match ike-identity i2

 

From spoken1:

 

ike peer ipsec1

 undo version 2

 pre-shared-key cipher xxx

 ike-proposal 1

 local-id-type fqdn

 local-id spoke1

 dpd type periodic

 dpd idle-time 40

From spoken2:

ike peer ipsec2

 undo version 2

 pre-shared-key cipher xxxx

 ike-proposal 1

 local-id-type fqdn

 local-id spoke2

 dpd type periodic

 dpd idle-time 40

And also the same gre source tunnel need configuration the gre key to distinguish the difference peer.

interface Tunnel0/0/0

 gre key cipher AAA

interface Tunnel0/0/100

gre key cipher BBB

 

After that done, Dsvpn over ipsec working normal.

Root Cause:

        Because customer configuration the ipsec with same source, so need configuration the ike identity and the gre password.

Solution:

       Configuration the ike identity and the gre password.

Suggestions:

Configuring an Identity Filter Set link like as bellow: http://support.huawei.com/hedex/pages/EDOC1000085855AEG05127/12/EDOC1000085855AEG05127/12/resources/dc/dc_cfg_ipsec_0067.html?ft=0&fe=10&hib=7.3.10.7.7.4.5&id=dc_cfg_ipsec_0067&text=(Optional)%20Configuring%20an%20Identity%20Filter%20Set&docid=EDOC1000085855

 

 

 

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login