Country/Region

★ GRE over IPSEC with third-party device H

2022-08-29 23:41:33 Published
  • 0 Followed
  • 0Collected ,1072Browsed
Shawn_Xunjie

Network Topology

H3C(1.1.1.1)----Internet----third-party device H(1.1.1.2)


Problem Description

1.Failed to establish IPsec SA.

2.After establishing IPsec SA(can use display ike sa && display ipsec sa to check the status),fail to ping the remote address and fail to forward interesting traffic.


Process Analysis

1.Failed to establish IPsec SA.

Make sure ike-proposal and ipsec transform-set are set exactly the same with third-party device H.

H3C:

#

ipsec transform-set TEST

 esp encryption-algorithm aes-cbc-192

 esp authentication-algorithm sha256

#

ike proposal 1

 encryption-algorithm aes-cbc-128

 dh group14

 authentication-algorithm sha256

#

Third-party device H:

#

ipsec proposal trans

 encapsulation-mode transport

 esp authentication-algorithm sha2-256

 esp encryption-algorithm aes-192

#

ike proposal 1

 encryption-algorithm aes-128

 dh group14

 authentication-algorithm sha2-256

 authentication-method pre-share

#

2.After establishing IPsec SA(can use display ike sa && display ipsec sa to check the status),fail to ping the remote address and fail to forward interesting traffic.

Checking in official website, we found following explanation:

#

Usage Scenario

When IPSec uses the SHA-2 algorithm, if the devices on two ends of an IPSec tunnel are from different vendors or run different software versions, they may use different encryption and decryption methods. In this situation, traffic between devices is interrupted.

To solve this problem, run the ipsec authentication sha2 compatible enable command to enable SHA-2 to be compatible with RFC standard algorithm versions.

Example:

Enable the SHA-2 algorithm to be compatible with RFC standard algorithm versions.

<H> system-view

[H] ipsec authentication sha2 compatible enable



Solution

1.Make sure ike-proposal and ipsec transform-set are set exactly the same for 2 side devices.

2.When IPSec uses the SHA-2 algorithm, if the devices on two ends of an IPSec tunnel are from different vendors or run different software versions, they may use different encryption and decryption methods. In this situation, traffic between devices is interrupted.

To solve this problem, run the ipsec authentication sha2 compatible enable command

#

ipsec authentication sha2 compatible enable 

#

But note that this command will make all the third-party device H ipsec tunnels down ,and we need to active the tunnel again.

#



Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted