Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
IPSec is not established ...

IPSec is not established and 2nd IKE SA peer isn't created ? why ?

Created: Aug 24, 2020 10:53:20Latest reply: Aug 24, 2020 11:06:59 479 5 2 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#


I've established ipsec isakmp v2,but why my ipsec not going up ? when i check devices create only one ike peer why there is no 2 Ike SA ?  


<AR1>display ike sa v2

    Conn-ID  Peer            VPN   Flag(s)                Phase  

  ---------------------------------------------------------------

        2    2.1.1.1         0     RD|ST                  1     


  Flag Description:

  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT

  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

TEST



AR1


<Huawei>dis cur

[V200R003C00]

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent 

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

acl number 3101  

 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 

#

ipsec proposal R2

 esp authentication-algorithm sha2-256 

 esp encryption-algorithm aes-128

#

ike proposal 1

 encryption-algorithm aes-cbc-128

 dh group14

#

ike peer btoa v2

 pre-shared-key simple huawei123

 ike-proposal 1

 remote-address 2.1.1.1

#

ipsec policy seccon 1 isakmp

 security acl 3101

 ike-peer btoa

 proposal R2

#

aaa 

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default 

 domain default_admin 

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

#

interface GigabitEthernet0/0/1

 ip address 1.1.1.1 255.255.255.0 

 ipsec policy seccon

#

interface GigabitEthernet0/0/2

 ip address 10.1.1.1 255.255.255.0 

#

interface NULL0

#

ospf 1 

 area 0.0.0.0 

  network 1.1.1.0 0.0.0.255 

  network 10.1.1.0 0.0.0.255 

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return


AR2


<Huawei>dis cur

[V200R003C00]

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent 

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

aaa 

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default 

 domain default_admin 

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

 ip address 1.1.1.2 255.255.255.0 

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/2

 ip address 2.1.1.2 255.255.255.0 

#

interface NULL0

#

ospf 1 

 area 0.0.0.0 

  network 1.1.1.0 0.0.0.255 

  network 2.1.1.0 0.0.0.255 

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return


AR3


<Huawei>DIS CUR

[V200R003C00]

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent 

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

acl number 3101  

 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.2 

#

ipsec proposal R1

 esp authentication-algorithm sha2-256 

 esp encryption-algorithm aes-128

#

ike proposal 1

 encryption-algorithm aes-cbc-128

 dh group14

#

ike peer atob v2

 pre-shared-key simple huawei123

 ike-proposal 1

 remote-address 1.1.1.1

#

ipsec policy seccon 1 isakmp

 security acl 3101

 ike-peer atob

 proposal R1

#

aaa 

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default 

 domain default_admin 

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

#

interface GigabitEthernet0/0/1

 ip address 2.1.1.1 255.255.255.0 

 ipsec policy seccon

#

interface GigabitEthernet0/0/2

 ip address 10.1.2.1 255.255.255.0 

#

interface NULL0

#

ospf 1 

 area 0.0.0.0 

  network 2.1.1.0 0.0.0.255 

  network 10.1.2.0 0.0.0.255 

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<Huawei>  


ipsecIKEsavpn

Like (2) Dislike (0) Favorite(0) Share Report
Previous: Manual tunnel
Next: connect eNSP to a server
Featured Answers

Best answer

(1) (0)
chenhui
Admin Created Aug 24, 2020 11:06:59

Hi Sapte,
The ACL on the R1 and R2 doesn't match each other, please modify them.
View more
  • x
  • convention:

Sapte
Sapte Created Aug 24, 2020 11:36:31 (0) (0)
how i couldnt realize that...  
chenhui
chenhui Reply Sapte  Created Aug 24, 2020 11:44:35 (0) (0)
LOL  
Unicef
Unicef Created Jan 7, 2022 12:13:48 (0) (0)
 
All Answers
(0) (0)
2#
Chenxintao
Chenxintao Admin Created Aug 24, 2020 10:54:02

Holle, friend!
It's nice to meet you in the community.
We're working on your problems. Please be patient.
View more
  • x
  • convention:
(1) (0)
3#
chenhui
chenhui Admin Created Aug 24, 2020 11:06:59

Hi Sapte,
The ACL on the R1 and R2 doesn't match each other, please modify them.
View more
  • x
  • convention:

Sapte
Sapte Created Aug 24, 2020 11:36:31 (0) (0)
how i couldnt realize that...  
chenhui
chenhui Reply Sapte  Created Aug 24, 2020 11:44:35 (0) (0)
LOL  
Unicef
Unicef Created Jan 7, 2022 12:13:48 (0) (0)
 
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.