Got it

IPSec tunnle cannot establish normally with AR Highlighted

Latest reply: Dec 20, 2018 03:23:05 2684 11 11 0 0

Hello everyone,

Today, I will introduce how to solve the problem that the IPSec tunnel cannot be established between the AR and the AR.

Issue Description

AR1200E-S Multiple egresses are configured. After the IPSec profile is configured, some tunnels can be set up, and the other IPSec tunnel fails to be set up.

Handling Process

1. If the peer end fails to dial the number, the PPPoE dialup is performed. Query the public IP address X.X.X.X and check the ike negotiation status. If the flag is null, it indicates that packets are received and the IPSec process is started.

81fd4a27af4d401889465311f2779d82

2. Check the configuration is correct and the value of ike is the same as that of TP-Link on the peer end.

3. Check the debugging information

Received packet that is no problem

<Huawei10>
Jun 21 2018 11:38:24.550.1+00:00 Huawei10 IKE/7/IKE_Debug Info:
IKE Packet Contents received from X.X.X.X for message type Recv_SA_KE_NONCE_ID_VID : 808787f1 150b5a5c 00000000 00000000 01100400 00000000 0000018a 04000034 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020001 80030001 80040002 800b0001 800c7080 0a000084 726e34c4 8431324a d1ffc74d bdadfa09 a06e3d90 0c350477 aabf3435 f1c0dcae c42fb9b3 035b5141 1ed6982f e5d3a9bb a588968e d6befbda 93734697 e789c68a b18c6c6a fd0bd31b 22d825b1 cf3b9477 4fa318b2 d10e5cce 90f49c4b 12f5226c 96820a8e 3cb90782 826c21ec 1d02e6f1 1b9594e6 84c4e2c7 f8f8cd31 6087ea7e 05000044 0d983ba2 5d078552 d7b4e9f6 c5e0b44a be3f6f88 6ed2d2f0 e4a7ef67 dc7cece1 c0da20a1 601fc0d5 704c2780 97233b15 e0572869 e7985508 e588dbf9 a2e14098 0d00000e 02000000 737a7465 73740d00 00144a13 1c810703 58455c57 28f20e95 452f0d00 00144485 152d18b6 bbcd0be8 a8469579 ddcc0d00 001

The encapsulated packet is no problem.

<Huawei10>
Jun 21 2018 11:38:24.570.1+00:00 Huawei10 IKE/7/IKE_Debug Info:
IKE Packet Contents sent to X.X.X.X for message type Send_SA_KE_NONCE_ID_VID_NATD_AUTH : 808787f1 150b5a5c 6e78792b 60fe2607 01100400 00000000 000001b0 04000034 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020001 80030001 80040002 800b0001 800c7080 0a000084 d7cc0862 d8eb3b22 c6ef2441 fc0820b7 81e77de4 987168d6 45a284ce 3672bad4 b25a4263 4c432803 3d612c2d 5443ced6 82f08caa db155346 89dacbbe 03659378 25ed7485 c9f60096 56606e6e 167b4f61 afff0b29 8fdfcbb4 74a56161 a635b79d fb3732cc 277a2e8c 7bf3ed7a b16b550b 024fe83b 6fc76eb8 a3234adf f2a10bd8 05000044 b9918c02 3d51943d 9080b17a a285ff98 e8e1b212 39fe22d0 98ce4e7d 1cceb006 4aecd463 f9d24cda 94c52f9b 99249930 41a4d09b 091bddc4 3a97f3f6 3d96674d 0d00000c 02000000 636f7265 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014

But peer end does not receive any packet.

e8f058f1f63a44b0a2124e7fc356a327

4. There is a low probability that the problem is caused by the carrier. Check the routing table. It is found that the default route to the outbound interface does not exist and the outbound interface is a fixed IP address GigabitEthernet0/0/0.

eeaa9c9732e44af68886d584ab4d826b

Check the route configuration of the router. It is found that the peer end that can establish the IPSec tunnel refers to the static route, and the default route priority of the G0/0/0 interface is 65.

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 x.x.x.x preference 65

Therefore, the route is faulty. Although the router has encapsulated the ike packet, it does not send the packet to the corresponding link. As a result, the peer end cannot receive the packet and the negotiation fails.

Root Cause

The route priority of the ike packet is lower than that of other outbound interfaces. As a result, packets are not sent to the corresponding link.

After the problem is found, the customer needs to access the Internet through the dialer port. The peer end has a dialup device, the IP address is not fixed, and the static route cannot be written. Therefore, the problem cannot be handled as usual.

Solution

The customer requires that the dialer port be used for Internet access by default. The peer end has a dial-up device, the IP address is not fixed, and the static route cannot be written. Therefore, the following configuration scheme is provided:

1. Change the preference to 55 for routing. 

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 218.17.X.X preference 65

2. Configuring PBR to Implement Load Balancing

acl 3100  // for access internet

 rule permit ip

acl 3200  // for ipsec

rule permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255 

traffic classifier test

  if-match acl 3100

traffic classifier ipsec

  if-match acl 3200

traffic behavior test

  redirect ip-nexthop 1.1.1.1

traffic behavior ipsec

  permit

traffic policy test

  classifier ipsec behavior ipsec

  classifier test behavior test

ip route-static 1.1.1.1 32 Dialer 1

ip route-static 1.1.1.1 32 Dialer 2

After the configuration, the internal network interface is invoked in the inbound direction.

After the configuration, the customer can dial up to the VPN and access the Internet through a dialer.

Suggestions

This fault is mainly caused by routing problems. It is mainly caused by the special requirements of users. This solution can be used for reference.


That is all I want to share with you!

  • x
  • convention:

Mark.hu
Created Oct 18, 2018 02:07:56

This post was last edited by Mark.hu at 2018-10-31 06:54. This is a great share. If it is for me to solve it, I can't think of it in this way to meet the load balancing requirements of users. Thank you for sharing. It really opens my eyes.
View more
  • x
  • convention:

Torrent
Created Oct 18, 2018 02:12:35

This post was last edited by Torrent at 2018-10-22 06:00. This is good example to us , we usually meet this issue.
but is there any simple way to troubleshooting IPSEC issue?
because it is a good example but also too difficult.IPSec tunnle cannot establish normally with AR-2779729-1
View more
  • x
  • convention:

GongXiaochuan
Created Oct 18, 2018 03:49:16

This post was last edited by GongXiaochuan at 2018-10-30 05:48.

good to know the troubleshooting steps , thank you for sharing

View more
  • x
  • convention:

Finn92
Created Oct 18, 2018 07:50:36

This post was last edited by Finn92 at 2018-10-31 06:49.

The route priority of the ike packet is lower than that of other outbound interfaces. As a result, packets are not sent to the corresponding link.

After the problem is found, the customer needs to access the Internet through the dialer port. The peer end has a dialup device, the IP address is not fixed, and the static route cannot be written. Therefore, the problem cannot be handled as usual.

the root cause is very helpful in my daily work , thank you very much .

 

View more
  • x
  • convention:

Skay
Created Oct 19, 2018 07:33:57

Thanks for your sharing .
your good example help to me solved one same issue :
The customer requires that the dialer port be used for Internet access by default. The peer end has a dial-up device, the IP address is not fixed, and the static route cannot be written. Therefore, the following configuration scheme is provided:

1. Change the preference to 55 for routing ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 218.17.X.X preference 65

Thanks again .
View more
  • x
  • convention:

lizhi94
Created Oct 19, 2018 09:32:24

I have required a lot of knowledge,which encourages me to gohead for excellent level .
The post also is useful and practical to me and then take the knowledge of Network technology to us .
AT same time,this post offers a nice reference of the IPSec tunnle cannot establish normally with AR .This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
Thank you very much for your sharing. Hope you can update continue like this
View more
  • x
  • convention:

yangyong
Created Oct 19, 2018 09:38:18

I just face similar issue, thanks for sharing, it resolve my issue.IPSec tunnle cannot establish normally with AR-2781599-1
View more
  • x
  • convention:

littlestone
Created Oct 23, 2018 04:04:24

its so great
I am very interested for this sharing , which is very helpful to our daily work. I have the similar problems in my daily troubleshooting, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your post. Hope you can update continue like this , thank you very much
View more
  • x
  • convention:

w1
Created Oct 27, 2018 13:43:03

Good case for IPsec tunnel, this situation is very common, the details of this case can guide me to fix the same issue when i experence the IPsec tunnel issue IPSec tunnle cannot establish normally with AR-2787841-1
View more
  • x
  • convention:

12
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.