Got it
Huawei Enterprise Support Community
Community Forums WLAN
The IPSec tunnel fails to...

The IPSec tunnel fails to be set up, causing service interruption.

Latest reply: Nov 17, 2021 08:46:42 4017 8 15 0 0
View the author 1#

Problem

IPSec tunnels have been established between FWs. After the subaddress is added to the public network interface of FW1 and some configurations are modified, the IPsec tunnel fails to be established. The IPSec and IKE parameters are correctly configured on both ends.

1. Run the display ike sa command on FW2. The command output shows that the IKE SA fails to be established.

<FW2> display ike sa

IKE SA information:

Conn-ID Peer VPN Flag (s) Phase

----------------------------------------------------------------------

83891196 1.1.1.5:500 NEG|A v2:1

Number of IKE SA: 1

----------------------------------------------------------------------


Flag Description:

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING


2. Run the display ike error-info command on FW2. The command output shows that the IKE negotiation failure cause is peer address mismatch, indicating that the remote addresses of the IKE peers at both ends do not match.

<FW2> display ike error-info

current info Num :1

Ike error information:

current ike Error-info number :1

-----------------------------------------------------------------------------------------

peer port error-reason version error-time

-----------------------------------------------------------------------------------------

1.1.1.5 500 peer address mismatch v2 2017-09-05 07:22

-----------------------------------------------------------------------------------------


3. Check the sub address configured for the FW1 interface.

interface GigabitEthernet0/0/1

ip address 1.1.1.1 255.255.255.0

ip address 1.1.1.5 255.255.255.0 sub

ipsec policy map1


Possible Cause

The local address of the initiator is different from the peer address configured for the responder.


Handling Procedure

1. Run the display ike peer [name peer-name] command to check whether the IP addresses of the IKE peers at both ends match.

<FW1> display ike peer name b

------------------------------------------------

Peer name: b

IKE version: v2

VPN instance: -

Remote IP: 2.1.1.1

Authentic IP address: -

Proposal: 10

Pre-shared-key: %^%#=Q90U4SSw&~$c]YM.} !$} HWfFOm+G&i@`BW '7ETS%^

%#

Local ID type: IP

Local ID: -

Remote ID type: -

Remote ID: -

.........

------------------------------------------------

<FW2> display ike peer name b

------------------------------------------------

Peer name: a

IKE version: v2

VPN instance: -

Remote IP: 1.1.1.5

Authentic IP address: -

Proposal: 10

Pre-shared-key: %^%#.SBO>Q {o#@_BHQ/%ULL;f3%rOo4+*3fs3TI7sX\ '%^

%#

Local ID type: IP

Local ID: -

Remote ID type: -

Remote ID: -

..........

------------------------------------------------


The command output shows that the peer address of FW2 is the sub address of FW1. In IKE negotiation, FW1 uses the primary address of the interface as the local address by default, therefore, the local address of the initiator is different from the peer address configured on the responder. as a result, the IKE SA negotiation fails.


2. Change the local IP address of FW1.

ipsec policy map1 10 isakmp

tunnel local 1.1.1.5

After the modification, the IPSec tunnel is set up successfully, and PCs can access each other.


Suggestions and Summary

In ISAKMP mode, the local IP address of the IPSec tunnel does not need to be configured. During SA negotiation, the local IP address of the IPSec tunnel is selected based on the route. In the following situations, you need to configure the local IP address:

If the IP address of the interface bound to the security policy is not fixed or unpredictable, run the tunnel local ip-address command to specify the IP address of another interface (such as the loopback interface) on the device as the local IP address of the IPSec tunnel, you can also run the tunnel local applied-interface command to specify the IP address of the IPSec tunnel interface as the local IP address of the IPSec tunnel.

If multiple IP addresses (one primary IP address and multiple secondary IP addresses) are configured for the interface bound to the IPSec policy, run the tunnel local ip-address command to specify an IP address as the local IP address of the IPSec tunnel, you can also run the tunnel local applied-interface command to specify the primary IP address of the interface as the local IP address of the IPSec tunnel.

If equal-cost routes exist between the local and peer ends, run the tunnel local {ip-address | applied-interface} command to specify the local IP address of the IPSec tunnel.

Like (15) Dislike (0) Favorite(0) Share Report
Previous: Huawei WLAN & Iphone
Next: Use filename when switching FIT to FAT: Upgrade failed by version mismatched
(0) (0)
2#
Sergio93
Created Sep 18, 2018 18:10:40

Thanks for sharing this information, very useful.
View more
  • x
  • convention:
(0) (0)
3#
No.9527
Created Sep 20, 2018 07:42:12

this is a very classic case, thanks for your sharing:)
View more
  • x
  • convention:
(0) (0)
4#
No.9527
Created Sep 29, 2018 09:28:04

I am very interested for this post, which is very helpful to our daily troubleshooting. I always have similar problems in my daily work, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your sharing. Hope you can update continue like this
View more
  • x
  • convention:
(0) (0)
5#
Skay
Created Sep 30, 2018 06:17:06

this case help me solve one issue, good skill. If multiple IP addresses (one primary IP address and multiple secondary IP addresses) are configured for the interface bound to the IPSec policy, run the tunnel local ip-address command to specify an IP address as the local IP address of the IPSec tunnel, you can also run the tunnel local applied-interface command to specify the primary IP address of the interface as the local IP address of the IPSec tunnel. If equal-cost routes exist between the local and peer ends, run the tunnel local {ip-address | applied-interface} command to specify the local IP address of the IPSec tunnel.
View more
  • x
  • convention:
(0) (0)
6#
Mysterious.color
Created Sep 30, 2018 10:51:27

Thank you very much for your sharing
i'm delighted to wait your future posts
View more
  • x
  • convention:
(0) (0)
7#
faysalji
Author Created Oct 1, 2018 10:58:16

Thanks for the details.
View more
  • x
  • convention:
(0) (0)
8#
Steelblue
Created Mar 25, 2020 06:43:24

Thanks for your sharing.
View more
  • x
  • convention:
(0) (0)
9#
Caroline_Herrera
Moderator Created Nov 17, 2021 08:46:42

Thanks for your sharing.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.