IPsec VPN Detailed--Verify configuration

Five.common failure Debug Commands

[H3c]disike SA

After the configuration is complete, users who find network A and network B cannot access each other.

Possible causes

1. Traffic does not match ACL rules

• Execute the command display ACL Acl-number to see if the traffic matches the IPSec ACL rules.

2. Inconsistent IKE security offer configuration for both devices

• Execute the command display IKE proposal on NGFW_A and Ngfw_b respectively, to see if the IKE security proposal configuration for both devices is consistent, including the encryption algorithm (authentication algorithm), the authentication algorithm (encryption algorithm) and DH Group identification (diffie-hellman groups).
  

3. Different IKE versions for both devices

4. Misconfiguration of the peer IP address or the peer domain name

• Execute commands on Ngfw_a and Ngfw_b display IKE peer [brief [IPv6] | name Peer-name] to see if the peer IP address is configured correctly.
  

5. The pre-shared key configuration for both ends of the device is inconsistent

6. NAT traversal feature not enabled

• Execute commands on Ngfw_a and Ngfw_b display IKE peer [brief [IPv6] | name Peer-name] to see if the NAT traversal feature is enabled.
  

7. Inconsistent IPSec security offer configuration for both devices

• Execute the command display IPSec proposal [brief | name Proposal-name] on ngfw_a and Ngfw_b respectively, to see if the IPSec security offer configuration for both devices is consistent, including the security protocol used, The security protocol adopts the authentication algorithm and the encryption algorithm, the message encapsulation mode and so on.
  

8. The PFS feature configuration is inconsistent for both ends of the device

• Execute the command display IPSec policy [brief | name Policy-name [Seq-number] [Extend-acl]] on ngfw_a and ngfw_b respectively to see if the PFS feature configuration for both devices is consistent.
  

9.IPSEC Security Policy Sequence number configuration error

• Execute the command display IPSec policy [brief | name Policy-name [seq-number | extend-acl]] on ngfw_a and Ngfw_b, respectively, to see the order number of IPSec security policies for both devices.
  

10.IPSEC security Policy applied on the wrong interface

• Execute commands on ngfw_a and ngfw_b on the display IPSec policy [brief | name Policy-name [seq-number | extend-acl]] to see if IPSec security policy is applied on the correct interface.
  

11.SA Timeout configured too small

• If the user disconnects frequently, the reason may be that the IKE SA time-out is configured too small. The IKE SA timeout period defaults to 86,400 seconds.

• Execute the command display IKE proposal to see the time-out of the IKE SA

12. Routing Configuration Error

13. Security Policy Configuration Error

14.NAT Policy configuration Error

15. No old or existing SA (Security Alliance) has been cleared

• Clearing the IKE SA (reset Ike sa) and IPSec SA (reset IPSec SA) is the simplest and most common way to resolve IPSec VPN failures. When an administrator modifies or increases the IPSec configuration, it is generally necessary to clear the old or existing SA.

Reprint http://dadiwm.blog.51cto.com/1773851/1783449/

This article is from the "Garrett" blog, make sure to keep this source http://garrett.blog.51cto.com/11611549/1983607

IPsec VPN Detailed--Verify configuration