Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Ike peer error

Ike peer error

Created: Sep 28, 2019 20:25:43Latest reply: Sep 29, 2019 01:05:43 1663 2 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi!


I am getting this error while configuring ike peer for the IPsec protocol on an AR1220-S.


Error: This IKE peer is new, please indicate the mode to finish creating it.


042512uxmpxmzupwiwc2nw.png?image.png

Like (0) Dislike (0) Favorite(0) Share Report
Previous: vsi: mac-learn-style qualify
Next: Co-care for S5730
Featured Answers

Recommended answer

(0) (0)
Popeye_Wang
Admin Created Sep 29, 2019 01:05:43

Hello there!


For the newly created ike, please specify the version number after the command.


[HUAWEI]ike peer spub v2

The configuration of different versions is slightly different. It is a good way to use '?' when you are not sure.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
wissal
wissal MVE Created Sep 28, 2019 21:17:24

Hi,
1.
IPSec tunnels have been established between FWs. After the sub address is added to the public network interface of FW1 and some configurations are modified, the IPsec tunnel fails to be established. The IPSec and IKE parameters are correctly configured on both ends.

1. Run the display ike sa command on FW2. The command output shows that the IKE SA fails to be established. <FW2> display ike sa
IKE SA information:
Conn-ID Peer VPN Flag (s) Phase
----------------------------------------------------------------------
83891196 1.1.1.5:500 NEG|A v2:1

Number of IKE SA: 1
----------------------------------------------------------------------

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

2. Run the display ike error-info command on FW2. The command output shows that the IKE negotiation failure cause is peer address mismatch, indicating that the remote addresses of the IKE peers at both ends do not match. <FW2> display ike error-info
current info Num :1
Ike error information:
current ike Error-info number :1
-----------------------------------------------------------------------------------------
peer port error-reason version error-time
-----------------------------------------------------------------------------------------
1.1.1.5 500 peer address mismatch v2 2017-09-05 06:22
-----------------------------------------------------------------------------------------

3. Check the sub address configured for the FW1 interface. interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
ip address 1.1.1.5 255.255.255.0 sub
ipsec policy map1



Possible Cause

The local address of the initiator is different from the peer address configured for the responder.


Handling Procedure
1. Run the display ike peer [name peer-name] command to check whether the IP addresses of the IKE peers at both ends match.
<FW1> display ike peer name b
------------------------------------------------
Peer name: b
IKE version: v2
VPN instance: -
Remote IP: 2.1.1.1
Authentic IP address: -
Proposal: 10
Pre-shared-key: %^%#=Q90U4SSw&~$c]YM.} !$} HWfFOm+G&i@`BW '7ETS%^
%#
Local ID type: IP
Local ID: -
Remote ID type: -
Remote ID: -
.........
------------------------------------------------
<FW2> display ike peer name b
------------------------------------------------
Peer name: a
IKE version: v2
VPN instance: -
Remote IP: 1.1.1.5
Authentic IP address: -
Proposal: 10
Pre-shared-key: %^%#.SBO>Q {o#@_BHQ/%ULL;f3%rOo4+*3fs3TI7sX\ '%^
%#
Local ID type: IP
Local ID: -
Remote ID type: -
Remote ID: -
..........
------------------------------------------------

The command output shows that the peer address of FW2 is the sub address of FW1. In IKE negotiation, FW1 uses the primary address of the interface as the local address by default, therefore, the local address of the initiator is different from the peer address configured on the responder. as a result, the IKE SA negotiation fails.


2. Change the local IP address of FW1.
ipsec policy map1 10 isakmp
tunnel local 1.1.1.5

After the modification, the IPSec tunnel is set up successfully, and PCs can access each other.




Suggestions and Summary

In ISAKMP mode, the local IP address of the IPSec tunnel does not need to be configured. During SA negotiation, the local IP address of the IPSec tunnel is selected based on the route. In the following situations, you need to configure the local IP address:
If the IP address of the interface bound to the security policy is not fixed or unpredictable, run the tunnel local ip-address command to specify the IP address of another interface (such as the loopback interface) on the device as the local IP address of the IPSec tunnel, you can also run the tunnel local applied-interface command to specify the IP address of the IPSec tunnel interface as the local IP address of the IPSec tunnel.
If multiple IP addresses (one primary IP address and multiple secondary IP addresses) are configured for the interface bound to the IPSec policy, run the tunnel local ip-address command to specify an IP address as the local IP address of the IPSec tunnel, you can also run the tunnel local applied-interface command to specify the primary IP address of the interface as the local IP address of the IPSec tunnel.
If equal-cost routes exist between the local and peer ends, run the tunnel local {ip-address | applied-interface} command to specify the local IP address of the IPSec tunnel.

Link reference : https://forum.huawei.com/enterprise/en/the-ipsec-tunnel-fails-to-be-set-up-causing-service-interruption/thread/467995-869
Thanks
View more
  • x
  • convention:
(0) (0)
3#
Popeye_Wang
Popeye_Wang Admin Created Sep 29, 2019 01:05:43

Hello there!


For the newly created ike, please specify the version number after the command.


[HUAWEI]ike peer spub v2

The configuration of different versions is slightly different. It is a good way to use '?' when you are not sure.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.