Troubleshooting IPsec between SBC A - Firewall - SBC B (DMZ) Highlighted

Hi, dear!

This is the troubleshooting IPsec between two SBCs for the External terminal access in the EC V6R19 solution.

The SE1000 firmware version used was V300R019C00SPC300.

Topology used: Intranet - SBC A - IPSEC- FW - IPSEC- SBC DMZ (B) - FW - Internet

Solution

1. Check configuration from both SBC accordingly with the product documentation and make sure the below information to be correct on both sides:

• The ACL (ADD ACLRULE) must have two rules, uplink and downlink: peer to local and local to peer;

• The TRIG parameter from IPSECPLC must be changed in Auto;
  

• The parameter SHKEY  from ADD IKEPEER must be the same on both ends 

2. Check the tunnel IP sec state using MML commands:

DSP IPSECSA: VMNAME="VM_SE1000";

DSP IKESA: VMNAME="VM_SE1000";

or

DSP IPSECSA;

DSP IKESA;

Check the negotiation phase of the IKE SA and IPsec SA:

A) SBC-A MML output  for DSP IPSECSA command:

+++    SE1000/*MEID:10 MENAME:SE1000_10*/        2019-05-28 02:20+02:00 O&M    #470
%%DSP IPSECSA: VMNAME="VM_SE1000", DT=PEER, LADDR="192.168.x.x", PADDR="172.16.x.x", IPPRO=AH;%%
RETCODE = 5090251  No information matches the entered parameters
---    END

B)  SBC-A MML output for DSP IKESA command:

%%DSP IKESA: VMNAME="VM_SE1000", LADDR="192.168.x.x", DT=PEERNM, PEERNM="PEER_192.168.x.x";%%
RETCODE = 0  Operation succeeded
 The IKE SA information on virtual machine is as follows
-------------------------------------------------------
Virtual machine name  =  VM_SE1000
Location description  =  Host-omu_server1/IP-192.168.x.x
    Connection index  =  155
    Local IP address  =  192.168.x.x
     Peer IP address  =  172.16.x.x
            VRF name  =  NULL
   Negotiation phase  =  PHASE1
         IKE version  =  IKEv1_only
    Initiator Cookie  =  0x51494eca0f7fa53b
    Responder Cookie  =  0x0000000000000000
               State  =  NULL
(Number of results = 1)

C) SBC-B MML output for DSP IPSECSA command:

+++    SE1000/*MEID:10 MENAME:SE1000_10*/        2019-05-28 02:20+02:00
O&M    #548
%%DSP IPSECSA: VMNAME="VM_SE1000", DT=PEER, LADDR="172.16.x.x", PADDR="192.168.x.x ", IPPRO=AH;%%
RETCODE = 5090251  No information matches the entered parameters
---    END

D) SBC-B MML output for DSP IKESA command:

+++    SE1000/*MEID:10 MENAME:SE1000_10*/        2019-05-28 02:20+02:00 O&M    #588
%%DSP IKESA: VMNAME="VM_SE1000", LADDR="172.16.x.x", DT=PEERNM, PEERNM="PEER_172.16.x.x";%%
RETCODE = 0  Operation succeeded

The IKE SA information on virtual machine is as follows

-------------------------------------------------------
Virtual machine name  =  VM_SE1000
Location description  =  Host-omu_server1/IP-172.16.x.x
    Connection index  =  11028
    Local IP address  =  172.16.x.x
     Peer IP address  =  192.168.x.x
            VRF name  =  NULL
   Negotiation phase  =  PHASE1
         IKE version  =  IKEv1_only
    Initiator Cookie  =  0xaa0fb479dccfc27d
    Responder Cookie  =  0x0000000000000000
               State  =  NULL
(Number of results = 1)
---    END

 If you have these outputs it means that the negotiation is still not complete and you will need to start to ping every node as follows:

• Ping from IPsec SBC A to IPsec SBC B;

• Ping from IPsec SBC B to IPsec SBC A;

• Ping from SBC A to firewall gateway A;

• Ping from SBC B to firewall gateway B;
  

• Ping from SBC A to firewall gateway B;

• Ping from SBC B to firewall gateway A;
  

3. If the ping fails to reach from SBC A to Gateway firewall B this means that the issue resides in the firewall side.

Make sure that the firewall configuration, routes and security policies allows SBC A to communicate with SBC B (on both ways)

The correct output after the correct configuration and the IPsec tunnel working properly should look like:

A) SBC-A MML output  for DSP IPSECSA command:

O&M    #1057
%%DSP IPSECSA: VMNAME="VM_SE1000";%%
RETCODE = 0  Operation succeeded

The IPSec SA information on virtual machine is as follows

---------------------------------------------------------
IPSecSa index  Virtual machine name  Location description                 Local IP address  Peer IP address  VRF name  Security parameter index  IPSec protocol  Authentication algorithm  Encryption algorithm  Received or sent bytes
0              VM_SE1000             Host-omu_server1/IP-192.168.x.x  172.16.x.x      192.168.x.x  NULL      25685530                  AH              HMAC MD5                  NULL                  84360                
 1              VM_SE1000             Host-omu_server1/IP-192.168.x.x  192.168.x.x   172.16.x.x     NULL      63332348                  AH              HMAC MD5                  NULL                  48064                
(Number of results = 2)
---    END

B)  SBC-A MML output  for DSP IKESA command:

%%DSP IKESA: VMNAME="VM_SE1000";%%
RETCODE = 0  Operation succeeded

The IKE SA information on virtual machine is as follows

-------------------------------------------------------
Virtual machine name  Location description                 Connection index  Local IP address  Peer IP address  VRF name  Negotiation phase  IKE version  Initiator Cookie    Responder Cookie    State
VM_SE1000             Host-omu_server1/IP-192.168.x.x  2520              192.168.x.x   172.16.x.x     NULL      PHASE1             IKEv1_only   0x37695e4b83a9fbea  0x9ab45feef2b2d41a  RD   
 VM_SE1000             Host-omu_server1/IP-192.168.x.x  2521              192.168.x.x   172.16.x.x     NULL      PHASE2             IKEv1_only   0x37695e4b83a9fbea  0x9ab45feef2b2d41a  RD   
(Number of results = 2)
---    END

C) SBC-B MML output for DSP IPSECSA:

%%DSP IPSECSA: VMNAME="VM_SE1000";%%
RETCODE = 0  Operation succeeded

The IPSec SA information on virtual machine is as follows

---------------------------------------------------------
IPSecSa index  Virtual machine name  Location description              Local IP address  Peer IP address  VRF name  Security parameter index  IPSec protocol  Authentication algorithm  Encryption algorithm  Received or sent bytes
0              VM_SE1000             Host-omu_server1/IP-172.16.x.x  192.168.x.x   172.16.x.x     NULL      63332348                  AH              HMAC MD5                  NULL                  49104                
 1              VM_SE1000             Host-omu_server1/IP-172.16.x.x  172.16.x.x      192.168.x.x  NULL      25685530                  AH              HMAC MD5                  NULL                  86752                
(Number of results = 2)
---    END

D) SBC-B MML output for DSP IPSECSA:

%%DSP IKESA: VMNAME="VM_SE1000";%%
RETCODE = 0  Operation succeeded

The IKE SA information on virtual machine is as follows

-------------------------------------------------------
Virtual machine name  Location description              Connection index  Local IP address  Peer IP address  VRF name  Negotiation phase  IKE version  Initiator Cookie    Responder Cookie    State
VM_SE1000             Host-omu_server1/IP-172.16.x.x  13326             172.16.x.x      192.168.x.x  NULL      PHASE1             IKEv1_only   0x37695e4b83a9fbea  0x9ab45feef2b2d41a  RD|ST
 VM_SE1000             Host-omu_server1/IP-172.16.x.x  13327             172.16.x.x      192.168.x.x  NULL      PHASE2             IKEv1_only   0x37695e4b83a9fbea  0x9ab45feef2b2d41a  RD|ST
(Number of results = 2)
---    END

Root Cause

Checked the firewall again to see why the ping is not working properly and found that one route was not configured correctly.

Solution

Change the routes for the IPsec tunnel in 3rd party Firewall

Best wishes!