Got it

Site to Site IPsec VPN can up , but the private IP cannot communication

Latest reply: Sep 30, 2018 13:45:43 2968 8 10 0 0

Issue Description

Customer can be established VPN tunnel with Head Office Cisco VPN gateway successfully by adding public IP address . But the IPsec protective traffic cannot be passed the IPsec Tunnel , Branch private traffic cannot reach to HQ private Server .

https://support.huawei.com/view/pages/main/images/transparent.gifHandling Process

1. check the ike sa and ipsec sa .

<USG6300>display ike sa
11:39:45  2018/08/14
current ike sa number: 2
--------------------------------------------------------------------------------------------------
conn-id    peer                                    flag          phase vpn   
--------------------------------------------------------------------------------------------------
611        1.2.221.17:4500                      RD|ST|A       v1:2  public
610        1.2.221.17:4500                      RD|ST|A       v1:1  public


  flag meaning
  RD--READY      ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT
  TD--DELETING   NEG--NEGOTIATING  D--DPD          M--ACTIVE     S--STANDBY
  A--ALONE
 
< USG6300>display ipsec sa
11:39:53  2018/08/14
===============================
Interface: GigabitEthernet1/0/2
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "ipsec08072018"
  sequence number: 1
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 611
    rule number: 35
    encapsulation mode: tunnel
    holding time: 0d 0h 1m 50s
    tunnel local : 1.2.54.226    tunnel remote: 3.4.221.17
    flow      source: 192.168.0.0/255.255.0.0 0/0
    flow destination: 11.0.0.0/255.0.0.0 0/0

    [inbound ESP SAs]
      spi: 1915536948 (0x722cc634)
      vpn: public  said: 228  cpuid: 0x0000
      proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA1
      sa remaining key duration (kilobytes/sec): 4608000/3490
      max received sequence-number: 1
      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]
      spi: 1390740150 (0x52e502b6)
      vpn: public  said: 229  cpuid: 0x0000
      proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA1
      sa remaining key duration (kilobytes/sec): 4608000/3490
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: Y

2. Use the local IP address  on the firewall ping peer private ip and check the session .

[USG6300]ping -a 192.168.44.254 172.16.239.197
11:44:20  2018/08/14
  PING 172.16.239.197: 56  data bytes, press CTRL_C to break
    Reply from 172.16.239.197: bytes=56 Sequence=1 ttl=255 time=60 ms
    Reply from 172.16.239.197: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 172.16.239.197: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 172.16.239.197: bytes=56 Sequence=4 ttl=255 time=60 ms
    Reply from 172.16.239.197: bytes=56 Sequence=5 ttl=255 time=60 ms

  --- 172.16.239.197 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 60/60/60 ms

[USG6300]display firewall session table verbose destination global 172.16.239.197
11:46:54  2018/08/14
 Current Total Sessions : 1
  icmp  VPN:public --> public  ID: a48f40165ee087e0c5b72c128
  Zone: local--> untrust  TTL: 00:00:20  Left: 00:00:17 
  Output-interface: GigabitEthernet1/0/2  NextHop: 172.16.239.197  MAC: 00-00-00-00-00-00
  <--packets:5 bytes:420   -->packets:5 bytes:420
  192.168.44.254:44157-->192.168.239.197:2048 PolicyName: Firewall_AV_Update

3. Use one client ping peer private IP and check the session table,

[USG6300]display firewall session table verbose destination global 172.16.239.197
11:48:22  2018/08/14
 Current Total Sessions : 1
  icmp  VPN:public --> public  ID: a58f4037e1548432375b72c185
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:19 
  Output-interface: GigabitEthernet1/0/2  NextHop: 172.16.239.197  MAC: aa-bb-cc-dd-38-01
  <--packets:0 bytes:0   -->packets:1 bytes:60 // we can see there is only send out packet , but no icmp reply message .
  192.168.44.168:1[172.16.54.231:2092]-->172.16.239.197:2048 PolicyName: policy_ipsec_1

4. We can see the ipsec private traffic matched the nat policy , so it cannot pass through Ipsec tunnel .

 

https://support.huawei.com/view/pages/main/images/transparent.gifRoot Cause

IPsec protect private traffic hit the nat policy , so it cannot go through Ipsec tunnel .

https://support.huawei.com/view/pages/main/images/transparent.gifSolution

Create one nat policy and move to top .

nat-policy
 rule name nat_vpn // move this rule top of the nat-policy
  source-zone trust
  destination-zone untrust
  source-address 192.168.0.0  16
  destination-address 10.0.0.0 8
  action no-nat

 

A common issue. thanks for the suggestion about it
View more
  • x
  • convention:

Great sharing case, very useful.
View more
  • x
  • convention:

I get,thank you.
View more
  • x
  • convention:

if the customer configure the destination NAT or NAT server, how to configure the ipsec?
View more
  • x
  • convention:

can ospf go through the IPSEC tunnel?
View more
  • x
  • convention:

I have encountered this question about you. I have checked a lot of information, but I still have not answered this question clearly. Thank you for sharing this knowledge and solving my doubts. I hope that you can continue to update such knowledge points. Thank you. !Site to Site IPsec VPN can up , but the private IP cannot communication-2765133-1Site to Site IPsec VPN can up , but the private IP cannot communication-2765133-2
View more
  • x
  • convention:

when we use the command display ipsec sa, we can see the the ipsec private traffic matched the nat policy ,
< USG6300>display ipsec sa
11:39:53 2018/08/14
===============================
Interface: GigabitEthernet1/0/2
path MTU: 1500
===============================

-----------------------------
IPsec policy name: "ipsec08072018"
sequence number: 1
mode: isakmp
vpn: public
-----------------------------
connection id: 611
rule number: 35
encapsulation mode: tunnel
holding time: 0d 0h 1m 50s
tunnel local : 1.2.54.226 tunnel remote: 3.4.221.17
flow source: 192.168.0.0/255.255.0.0 0/0
flow destination: 11.0.0.0/255.0.0.0 0/0

[inbound ESP SAs]
spi: 1915536948 (0x722cc634)
vpn: public said: 228 cpuid: 0x0000
proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA1
sa remaining key duration (kilobytes/sec): 4608000/3490
max received sequence-number: 1
udp encapsulation used for nat traversal: Y

[outbound ESP SAs]
spi: 1390740150 (0x52e502b6)
vpn: public said: 229 cpuid: 0x0000
proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA1
sa remaining key duration (kilobytes/sec): 4608000/3490
max sent sequence-number: 1
udp encapsulation used for nat traversal: Y
View more
  • x
  • convention:

This post is novel in concept, with unique ingenuity, clear passages, different plots, ups and downs, distinct lines, fascinating and fascinating literary skills. It can be described as a word and a classic sentence, which is a model that my generation should learn. I am very interested for this post, which is very helpful to our daily troubleshooting.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.