Got it
Huawei Enterprise Support Community
Community Forums Security
Troubleshooting Of IPSEC ...

Troubleshooting Of IPSEC Negotiation failures

Latest reply: Oct 31, 2018 03:54:00 732 1 3 0 0
View the author 1#

Troubleshooting Of Negotiation failures

Step 1: Check whether IPSec SAs and IKE SAs are generated.

Step 2: Check whether the IPSec peer address is reachable. If so, go to step 3.

Step 3: Check whether the two ends of the IPSec tunnel use the same IPSec proposal. Run the display ipsec proposal command on the two ends. If the two ends use the same IPSec proposal, go to step 4.

Step 4: Check whether the traffic to be protected on the two ends is matching (the source and destination IP addresses of the two ends should be mirrored). If so, go to step 5.

Step 5: Check whether the two ends of the IPSec tunnel use the same IPSec policy. Run the display ipsec policy command on the two ends. If the policies on the two ends are matched, go to step 6.

Step 6: Check whether the IKE peer configuration is correct. Run the display ike peer command to check whether the IKE negotiation mode and IKE version. If the IKE peer configuration is correct, go to step 7.

Step 7: Check whether the two ends of the IPSec tunnel use the same IKE proposal. Run the display ike proposal command on the two ends. If the two ends use the same IKE proposal, go to step 2. If the authentication mode is set to pre-shared key authentication, you must configure a pre-shared key for each peer and ensure that the pre-shared keys of the two ends are the same. If the pre-shared keys are different, run the pre-shared-key command to change the authentication key.

Step 8: Collect the following information and contact Huawei technical support engineers. Execution results of the preceding steps, configuration files of devices, logs, and alarms

Steps of packet capture

1. First define the packet features need to be captured.

acl 3333

rule permit ip source x.x.x.x 0 destination y.y.y.y 0

rule permit ip source y.y.y.y 0 destination x.x.x.x 0

2. Assign the acl number to a physical interface

packet-capture ipv4-packet 3333 interface g1/0/0

3. Start up packet-capture

packet-capture startup packet-len 1500

4. Save the result to a file

packet-capture queue 0 to-file packet.cap

If the above 3 steps have been done and the IPSec Tunnel is still not up, please

help to get the debugging information.

For IKEv1:

debugging ikev1 all

For IKEv2:

debugging ikev2 all

For IPSEC:

debuggine ipsec all

And also please collect the diagnose-info of the device.

Like (3) Dislike (0) Favorite(0) Share Report
Previous: USG6330 IPSec VPN problem
Next: How to configure L2TP over IPSec with AD domain authentication ?
(0) (0)
2#
yjhd
Created Oct 31, 2018 03:54:00

thanks for your sharing, i an findding this:
Check whether the two ends of the IPSec tunnel use the same IKE proposal. Run the display ike proposal command on the two ends. If the two ends use the same IKE proposal, go to step 2. If the authentication mode is set to pre-shared key authentication, you must configure a pre-shared key for each peer and ensure that the pre-shared keys of the two ends are the same. If the pre-shared keys are different, run the pre-shared-key command to change the authentication key.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.