Network problem when goes through IPsec tunnel
Network Topology
Fault Description
Customer can't ping from one side to the other side (202.1.1.1)
Configuration Files
l AR1
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
pki-realm default
#
acl number 3000
rule 5 permit ip source 101.1.1.0 0.0.0.255 destination 202.1.1.0
0.0.0.255
acl number 3333
rule 5 permit ip source 101.1.1.0 0.0.0.255
rule 10 permit ip destination 202.1.1.0 0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm
3des
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
#
ike peer p1 v1
pre-shared-key cipher
%^%#1"4j#17n2'.c\"3q3#g4NGy|1\9Rj%Y{5Y)r$o>$%^%#
ike-proposal 1
remote-address 172.168.1.2
#
ipsec policy p1 10 isakmp
security acl 3000
ike-peer p1
proposal 1
#
interface GigabitEthernet0/0/2
ip address 192.168.1.2 255.255.255.0
nat outbound 3333
ipsec policy p1
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 172.168.1.0 255.255.255.0 192.168.1.1
ip route-static 202.1.1.0 255.255.255.0 192.168.1.1
l AR2
[V200R007C00SPCb00]
#
acl number 3333
rule 5 permit ip source 202.1.0.0 0.0.3.255 destination 101.1.1.0
0.0.0.255
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm des-cbc
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
#
ike peer p1 v1
pre-shared-key cipher
%^%#Xb=f+J<Up&;zprO9<Ik5s6EOIQoPDV~{U)*.bw:J%^%#
ike-proposal
1
remote-address 192.168.1.2
#
ipsec policy p1 10 isakmp
security acl 3333
ike-peer p1
proposal 1
#
interface Vlanif999
description MANAGEMENT-DO-NOT-TOUCH
ip address 192.168.80.3 255.255.224.0
#
interface GigabitEthernet0/0/0
description NE40E
ip address 172.16.1.6 255.255.255.252
#
interface GigabitEthernet0/0/1
description USG1
ip address 172.168.1.2 255.255.255.0
ipsec policy p1
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 172.1.0.0 255.255.0.0 192.168.64.1 description
MANAGEMENT-DO-NOT-TOUCH
ip route-static 192.168.1.0 255.255.255.0 172.168.1.1
ip route-static 192.168.10.0 255.255.255.0 192.168.64.1 description
MANAGEMENT-DO-NOT-TOUCH
#
Troubleshooting Procedure
Step 1 Check the IPSec status, we can see the phase 1 is not established. So let's check the ike parameter.
After checking the ike parameter, we can
find the parameter is not coerrect.
After change ike parameter, let's check the status again. Now phase 1 is ok, but phase 2 is not incorrect. Let's check the parameter of esp and acl.
The acl from AR2 is not correct compared with AR1. The acl should be mirror each other
After changing the acl rules, phase 2 is ok now. till now, ipsec tunnel is established.
Step 2 After testing on device, we can see the ping is still not work. But IPSEC is established. Let's check whether the traffic we tested matched the acl.
Then let's check the NAT policy under the same interface, and whether the acl rules for NAt is conflicted with IPSec.
After we changed the acl for nat, the ping is not working yet. Let's check whether the esp encryption method is sha2. If it's sha2, let's configure the command as bleow.
Ping is still not work. Let's check the routing table. We can see the route on AR2 is not correct. The next hop is not right. Let's add a static route for it.
After configuring the static route, the ping is working now
Root Cause
l Check the parameters about ike if the ipsec phase 1 is not established.
l Check the parameters about the esp and acl if the ipsec phase 2 is not established
l For the traffic can't forward correctly issue, Check the acl,check the router and check whether there are nat under the same interface.
l Notice the esp encrypt method, if it's sha2, don't forget to configure the sha2 compatible command.
