Got it
Huawei Enterprise Support Community
Community Forums Security
[Troubleshooting Series] ...

[Troubleshooting Series] Case 21 Traffic Cannot Be Forwarded After IPSec Tunnel is Established Normally

Latest reply: Jan 23, 2022 09:50:48 836 1 1 0 0
View the author 1#

Traffic Cannot Be Forwarded After IPSec Tunnel is Established Normally


Network Topology

Figure 1-1 Network where traffic cannot be forwarded after IPSectunnel is established normally

095407dxcmza7ckkrxm74x.png

 

IPsec tunnel need to be established between FW_71 and FW_80, the inside network 10.2.2.2 and 10.1.2.1 need to communicate with each other.


Fault Description

IPsec tunnel is already established between FW_71 and FW_80but  the ip address 10.1.1.1 failed to ping 10.1.2.1.


Configuration Files

l   FW_71

#
 ipsec sha2 compatible enable
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal p1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 1
 encryption-algorithm aes-256
 dh group2
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer b
 undo version 2
 pre-shared-key %^%#Z$pF2wqe9V.VP5V>P,qLJ:R^)="-W28~N9!LWE!3%^%#
 ike-proposal 1
 remote-address 192.168.101.1
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal p1
 sa trigger-mode auto
#
interface GigabitEthernet1/0/0
 ip address 192.168.8.1 255.255.255.0
 gateway 192.168.8.254
 service-manage ping permit
 ipsec policy map1
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 10.1.2.0 255.255.255.0 192.168.8.254
ip route-static 192.168.101.0 255.255.255.0 192.168.8.254
#
nat-policy
 rule name nat_policy
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action nat easy-ip


l   FW_68

#
interface GigabitEthernet0/0/0
 ip address 10.220.7.68 255.255.254.0
#
interface GigabitEthernet1/0/0
 ip address 192.168.8.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
#
nat-policy
 rule name nat_outside
  source-zone trust
  destination-zone untrust
  source-address 192.169.8.0 mask 255.255.255.0
  destination-address 192.168.101.0 mask 255.255.255.0
  action nat easy-ip


l   FW_80

acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal p1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 1
 encryption-algorithm aes-256
 dh group2
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer b
 undo version 2
 pre-shared-key %^%#Z$pF2wqe9V.VP5V>P,qLJ:R^)="-W28~N9!LWE!3%^%#
 ike-proposal 1
 remote-address 192.168.101.1
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal p1
 sa trigger-mode auto
#
interface GigabitEthernet1/0/0
 ip address 192.168.8.1 255.255.255.0
 gateway 192.168.8.254
 service-manage ping permit
 ipsec policy map1
#
interface GigabitEthernet3/0/4
 undo shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 10.1.2.0 255.255.255.0 192.168.8.254
ip route-static 192.168.101.0 255.255.255.0 192.168.8.254
#
nat-policy
 rule name nat_policy
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action nat easy-ip
#


Troubleshooting Location


  Step 1      Check the information about SAs established through IKE negotiation.

[R5U9-USG6600] display ike sa
2018-01-03 19:18.840
 
IKE SA information :
    Conn-ID     Peer            VPN              Flag(s)             Phase
  -----------------------------------------------------------------------------
    117477244   10.100.1.1:4500 vrf1             RD|M                v2:2   
    117477242   10.100.1.1:4500 vrf1             RD|M                v2:1
 
  Number of IKE SA : 2
  -----------------------------------------------------------------------------
 
  Flag Description:                                                              
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING 

It shows that the SA has been established successfully and the IPSec policy group is in active state.


Step 2      Check the IPsec SA information.

[R5U9-USG6600] display ipsec sa
ipsec sa information: 
===============================                                                  
Interface: GigabitEthernet1/0/0                                                
===============================                                                 
 -----------------------------                                                 
  IPSec policy name: "map1"                                                      
  Sequence number  : 10                                                          
  Acl group        : 3000                                                       
  Acl rule         : 5                                                          
  Mode             : ISAKMP                                                   
  -----------------------------                                                 
    Connection ID     : 117440517
    Encapsulation mode: Tunnel
    Tunnel local      : 192.168.8.1
    Tunnel remote     : 192.168.101.1
    Flow source       : 10.1.1.0/255.255.255.0 0/0                        
    Flow destination  : 10.1.2.0/255.255.255.0 0/0
 
    [Outbound ESP SAs]                                                          
      SPI: 4055669516 (0xf1bc9b0c)                                              
      Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 20971519/2679                   
      Max sent sequence-number: 16                                            
      UDP encapsulation used for NAT traversal: N                               
      SA encrypted packets (number/kilobytes): 156/1260                        
 
    [Inbound ESP SAs]                                                           
      SPI: 1050491168 (0x3e9d3920)                                              
      Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128                               
      SA remaining key duration (kilobytes/sec): 20971520/2679                   
      Max received sequence-number: 11
      UDP encapsulation used for NAT traversal: N                               
      SA decrypted packets (number/kilobytes): 10/840                        
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024

Confirm that the outbound interface configured with IPSec is 1/0/0, and the protection flow is consistent with the ACL configuration.


Step 3      Check the information about the forwarding information base (FIB).

[R5U9-USG6600] display fib 10.1.2.1 
Route Entry Count: 1
Destination/Mask   Nexthop         Flag  TimeStamp     Interface      TunnelID
10.1.2.0/24        192.168.8.254   GSU   t[44596]      GE1/0/0        0x0

Confirm that  the outbound interface is the one which configure the ipsec policy.


Step 4      Check the session: determine whether the traffic hits the protection flow and whether the outgoing interface is correct.

[R5U9-USG6600] display firewall session table verbose destination inside 10.1.2.1
2018-01-03 19:18.990
 Current Total Sessions : 0

There is no session table and then perform the ping test.

[R5U9-USG6600] ping 192.168.101.1
   PING 192.168.101.1 : 56  data bytes, press CTRL_C to break
    Request time out
    Request time out 
    Request time out
    Request time out  
    Request time out
 
  --- 192.168.101.1  ping statistics --- 
    5 packet(s) transmitted
    0 packet(s) received 
    100.00% packet loss

There is no session table and the ping test failed.


Step 5      Check the security policy.

#
security-policy
 default action permit
 rule name trust_to_local
  source-zone trust
  destination-zone local
  action permit
 rule name local_to_trust
  source-zone local
  destination-zone trust
  action permit
 rule name local_to_untrust
  source-zone local
  destination-zone untrust
  destination-address 10.1.2.0 0.0.0.255
  action deny

The following security policies are found to block this traffic.

Soultion: Disable the policy.

[R5U9-USG6600] security-policy
[R5U9-USG6600-security] undo rule name local_to_untrust

When you handle the case like this in the customer network, please add one policy to permit this traffic.

Check the session table again.

[R5U9-USG6600] display firewall session table verbose destintion inside 10.1.2.1
2018-01-03 19:18.900
Current Total Sessions : 1 
 icmp  VPN: public --> public  ID: a58f5fad3a168fc8765a69bc3
 Zone: local --> untrust  TTL: 00:00:20  Left: 00:00:15
 Recv Interface: InLoopBack0
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.8.254   MAC:a08c-f8a9-5704
 <--packets: 0 bytes: 0 ==> packets: 5 bytes: 420
 10.1.1.1:43994[192.168.8.1:2049] --> 10.1.2.1:2048 PolicyName: default

In the session table, we can find the traffic hit the NAT policy. The protect flow forward path is  10.1.1.1->10.1.2.1, but now, the path becomes 192.168.8.1 -> 10.1.2.1. This traffic will not send to ipsec tunnel.

Step 6      Check the NAT policy.

#
nat-policy
 rule name nat_policy
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action nat easy-ip

After checking the NAT policy, it was found that Ping packets hit this policy.

SolutionAdd a no-nat policy to disable NAT for data flows.

[R5U9-USG6600] nat-policy
[R5U9-USG6600-policy-nat] rule name no-nat
[R5U9-USG6600-policy-nat-rule-no-nat] egress-interface GigabitEthernet1/0/0
[R5U9-USG6600-policy-nat-rule-no-nat] source-address 10.1.1.0 mask 255.255.255.0
[R5U9-USG6600-policy-nat-rule-no-nat] action no-nat


Root Cause

There is an source nat policy on FW_71. Source nat policy will be hitted by the protect data flow, and the source address will be changed the nat policy, so the data flow can’t be matched with ipsec policy.

Like (1) Dislike (0) Favorite(0) Share Report
Previous: How to translate the Palo Alto Firewall address-set
Next: CISCO C3825 link failover issue
(0) (0)
2#
adrian_alucard
Moderator Created Jan 23, 2022 09:50:48

Nice step by step procedure post. Thank you
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.