Got it

[Troubleshooting Series] Case 22 Network problem when goes through IPsec tunnel

Latest reply: Jan 16, 2019 01:15:27 1067 1 0 0 0

Network problem when goes through IPsec tunnel

Network Topology

150212md6w5v2l2dl7m1sg.png

Fault Description

Customer can't ping from one side  to the other side (202.1.1.1)

Configuration Files

l  AR1

pki realm default
 enrollment self-signed
#
ssl policy default_policy type server
 pki-realm default
#
acl number 3000  
 rule 5 permit ip source 101.1.1.0 0.0.0.255 destination 202.1.1.0 0.0.0.255 
acl number 3333  
 rule 5 permit ip source 101.1.1.0 0.0.0.255 
 rule 10 permit ip destination 202.1.1.0 0.0.0.255 
#
ipsec proposal 1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm 3des            
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm sha1
 prf hmac-sha2-256
#
ike peer p1 v1
 pre-shared-key cipher %^%#1"4j#17n2'.c\"3q3#g4NGy|1\9Rj%Y{5Y)r$o>$%^%#
 ike-proposal 1
 remote-address 172.168.1.2
#
ipsec policy p1 10 isakmp
 security acl 3000
 ike-peer p1
 proposal 1
#
interface GigabitEthernet0/0/2
 ip address 192.168.1.2 255.255.255.0
 nat outbound 3333 
 ipsec policy p1
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 172.168.1.0 255.255.255.0 192.168.1.1
ip route-static 202.1.1.0 255.255.255.0 192.168.1.1 

l  AR2

[V200R007C00SPCb00]
#
acl number 3333  
 rule 5 permit ip source 202.1.0.0 0.0.3.255 destination 101.1.1.0 0.0.0.255 
#
ipsec proposal 1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm des-cbc
 dh group2
 authentication-algorithm sha1
 prf hmac-sha2-256
#
ike peer p1 v1
 pre-shared-key cipher %^%#Xb=f+J<Up&;zprO9<Ik5s6EOIQoPDV~{U)*.bw:J%^%#
 ike-proposal 1                           
 remote-address 192.168.1.2
#
ipsec policy p1 10 isakmp
 security acl 3333
 ike-peer p1
 proposal 1
#
interface Vlanif999
 description MANAGEMENT-DO-NOT-TOUCH
 ip address 192.168.80.3 255.255.224.0
#
interface GigabitEthernet0/0/0
 description NE40E
 ip address 172.16.1.6 255.255.255.252
#
interface GigabitEthernet0/0/1
 description USG1
 ip address 172.168.1.2 255.255.255.0
 ipsec policy p1
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 172.1.0.0 255.255.0.0 192.168.64.1 description MANAGEMENT-DO-NOT-TOUCH
ip route-static 192.168.1.0 255.255.255.0 172.168.1.1
ip route-static 192.168.10.0 255.255.255.0 192.168.64.1 description MANAGEMENT-DO-NOT-TOUCH
#

Troubleshooting Procedure

                              Step 1     Check the IPSec status, we can see the phase 1 is not established. So let's check the ike parameter.

150212chtjhyrvti7sl7sl.png

After checking the ike parameter, we can

find the parameter is not coerrect.

173018y1hr22090oe22qg1.png?sa.png


After change ike parameter, let's check the status again. Now phase 1 is ok, but phase 2 is not incorrect. Let's check the parameter of esp and acl.

150214fyjfkpeexpepjpec.png

The acl from AR2 is not correct compared with AR1. The acl should be mirror each other

150215n7rmldedrphcvcv8.png

After changing the acl rules, phase 2 is ok now. till now, ipsec tunnel is established.

150216jotwftz1wnglfgvl.png

                              Step 2     After testing on device, we can see the ping is still not work. But IPSEC is established. Let's check whether the traffic we tested matched the acl.

Then let's check the NAT policy under the same interface, and whether the acl rules for NAt is conflicted with IPSec.

150216m0j108tlm1ka1ckl.png

After we changed the acl for nat, the ping is not working yet. Let's check whether the esp encryption method is sha2.  If it's sha2,  let's configure the command as bleow.

150217gkm998m34i99az84.png

Ping is still not work. Let's check the routing table. We can see the route on AR2 is not correct. The next hop is not right. Let's add a static route for it.

150218g43li4ijj3bh434b.png

After configuring the static route, the ping is working now

150219fwnjnj0ycw3999y4.png

Root Cause

l  Check the parameters about ike if the ipsec phase 1 is not established.

l  Check the parameters about the esp and acl if the ipsec phase 2 is not established

l  For the traffic can't forward correctly issue, Check the acl,check the router and check whether there are nat under the same interface.

l  Notice the esp encrypt method, if it's sha2, don't forget to configure the sha2 compatible command.

  • x
  • convention:

Busy_with_lazy_mind
Created Jan 16, 2019 01:15:27

Thanks for sharing!
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.