Troubleshooting Of Negotiation failures
Step 1: Check whether IPSec SAs and IKE SAs are generated.
Step 2: Check whether the IPSec peer address is reachable. If so, go to step 3.
Step 3: Check whether the two ends of the IPSec tunnel use the same IPSec proposal. Run the display ipsec proposal command on the two ends. If the two ends use the same IPSec proposal, go to step 4.
Step 4: Check whether the traffic to be protected on the two ends is matching (the source and destination IP addresses of the two ends should be mirrored). If so, go to step 5.
Step 5: Check whether the two ends of the IPSec tunnel use the same IPSec policy. Run the display ipsec policy command on the two ends. If the policies on the two ends are matched, go to step 6.
Step 6: Check whether the IKE peer configuration is correct. Run the display ike peer command to check whether the IKE negotiation mode and IKE version. If the IKE peer configuration is correct, go to step 7.
Step 7: Check whether the two ends of the IPSec tunnel use the same IKE proposal. Run the display ike proposal command on the two ends. If the two ends use the same IKE proposal, go to step 2. If the authentication mode is set to pre-shared key authentication, you must configure a pre-shared key for each peer and ensure that the pre-shared keys of the two ends are the same. If the pre-shared keys are different, run the pre-shared-key command to change the authentication key.
Step 8: Collect the following information and contact Huawei technical support engineers. Execution results of the preceding steps, configuration files of devices, logs, and alarms
Steps of packet capture
1. First define the packet features need to be captured.
acl 3333
rule permit ip source x.x.x.x 0 destination y.y.y.y 0
rule permit ip source y.y.y.y 0 destination x.x.x.x 0
2. Assign the acl number to a physical interface
packet-capture ipv4-packet 3333 interface g1/0/0
3. Start up packet-capture
packet-capture startup packet-len 1500
4. Save the result to a file
packet-capture queue 0 to-file packet.cap
If the above 3 steps have been done and the IPSec Tunnel is still not up, please
help to get the debugging information.
For IKEv1:
debugging ikev1 all
For IKEv2:
debugging ikev2 all
For IPSEC:
debuggine ipsec all
And also please collect the diagnose-info of the device.
