Country/Region

SR66 and ER router are unable to communicate after IPSec was established

2020-05-21 19:56:46 Published
  • 0 Followed
  • 0Collected ,2001Browsed
MengPu

Network Topology

  • The client uses the V3 device as the headquarters router, ER3100 and ER5200 in the two branches respectively, and the communication between the headquarter and the branches uses the IPSEC tunnel established in the main mode .Now, the old device is replaced with the  V5 SR66. After completing the configuration, it is found that only one branch (ER3100) is communicating normally and the other one is not. The topology is as follows:

  • Private network 192.168.2.0/24 --(ER3100) 211. X.X. ---headquarters - -222.X.X.92(ER5200)---private network192.168.1.0/24 


Problem Description

 Only one branch (ER3100) is communicating normally and the other one is not.  


Process Analysis

1. Check IKE SA and Ipsec SA, both of which have been established normally: 

<SR6602>dis ike sa
    total phase-1 SAs:  2
    connection-id  peer                    flag        phase   doi
  ----------------------------------------------------------------
     15            211.X.X.12           RD|ST       1       IPSEC
     17            222.X.X.92          RD          1       IPSEC
     16            211.X.X.12           RD|ST       2       IPSEC
     18            222.X.X.92          RD          2       IPSEC

<SR6602>dis ipsec sa
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "bfy2"
  sequence number: 1
  acl version: ACL4
  mode: isakmp
  -----------------------------
    PFS: N, DH group: none
    tunnel:
        local  address: 121.X.X.222
        remote address: 211.X.X.12
    flow:
        sour addr: 192.168.35.0/255.255.255.0  port: 0  protocol: IP
        dest addr: 192.168.2.0/255.255.255.0  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 0xA1DA1B76(2715425654)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 3
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843154/3063
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 0xA7135208(2803061256)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 4
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843106/3063
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N
===============================
Interface: GigabitEthernet0/0/1
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "bfy2"
  sequence number: 2
  acl version: ACL4
  mode: isakmp
  -----------------------------
    PFS: N, DH group: none
    tunnel:
        local  address: 121.X.X.222
        remote address: 222.X.X.92
    flow:
        sour addr: 192.168.35.0/255.255.255.0  port: 0  protocol: IP
        dest addr: 192.168.1.0/255.255.255.0  port: 0  protocol: IP

    [inbound ESP SAs]
      spi: 0x96C45E7B(2529451643)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 5
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843189/3067
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N
               
    [outbound ESP SAs]
      spi: 0x8357A1BE(2203558334)
      transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      in use setting: Tunnel
      connection id: 6
      sa duration (kilobytes/sec): 1843200/3600
      sa remaining duration (kilobytes/sec): 1843200/3067
      anti-replay detection: Enabled
        anti-replay window size(counter based): 32
      udp encapsulation used for nat traversal: N

 

2. Check the route of the headquarters, and it is normal  

===============display ip routing-table===============
============================================================
Routing Tables: Public
 Destinations : 23 Routes : 23

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/0           Static 60   0            121.X.X.217   GE0/0/1

3. The ipsec policy configuration of the headquarters is as follows. According to the client"s feedback, after the exchange of 1 and 2 of bfy2, the business of branch 1 will pass, but 2 will not.


      ipsec policy bfy2 1 isakmp
      security acl 3001
      ike-peer xiamen
      transform-set xiamen
    #
      ipsec policy bfy2 2 isakmp
      security acl 3002
      ike-peer 8yuan
      transform-set 8yuan
    #

4. View the interest streams of the two branches:  

acl number 3001
    description bfy---xiamen
    rule 0 permit ip source 192.168.35.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    rule 2 deny ip
    acl number 3002
    description bfy---bky(8yuan)
    rule 10 permit ip source 192.168.35.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    rule 20 deny ip
   #



Solution

In the application of IPsec, the "permit"of  ACL rules means the matching flow need to be encrypted by IPsec tunnel, while the "deny" rule means the matching flow don"t need to be encrypted by IPsec tunnel. Because the "rule 2 deny ip" deny all traffic, said don"t need to do a IPsec protection, So the business of the latter node is not valid. 

Delete the deny node of the two ACLs. 


Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted