Country/Region

★ IPSEC tunnel establishment fails, debug shows IPSEC/7/EVENT:Failed to match profile problem handling experience cases

2023-12-27 20:21:11 Published
  • 0 Followed
  • 0Collected ,4073Browsed
Zhoutian

Network Topology

In the figure below, RUT145167014#2 on the left and 830 (RUT145128081-01) marked yellow on the right establish IPsec.



Problem Description

Customers reported that the IPSEC tunnel establishment failed, with the following debug:

*Nov 12 17:29:40:220 2023 RUT145167014-02 IPSEC/7/EVENT:Failed to match profile: IKE profile was A while IPsec used profile B.


Process Analysis

1. According to the debug ipsec error and debug ipsec event information reported on site, the following IPSEC event logs were found:

*Nov 12 17:29:40:220 2023 RUT145167014-02 IPSEC/7/EVENT:

 Could not find tunnel, ike profile name is A.

*Nov 12 17:29:40:220 2023 RUT145167014-02 IPSEC/7/EVENT:

Failed to match flow: ACL not match.

*Nov 12 17:29:40:220 2023 RUT145167014-02 IPSEC/7/EVENT:

Failed to match profile: IKE profile was A while IPsec used profile B.

 

2. Check the customer"s ipsec configuration and find that the match remote address set by ike profile A is a 24-bit mask, and the address 1.1.1.16 has the smallest value, so when both ends negotiate ike sa, the ike profile A will be matched first. Because the wrong ike profile A is matched when establishing ike sa with 1.1.1.38, which is inconsistent with the ike-profile B called in the ipsec policy, the ipsec tunnel cannot be established.

MSR830 configuration:

#

ipsec policy use2 10 isakmp

 transform-set tran1

 security acl 3100

 remote-address 1.1.1.1

 ike-profile profile2

#

ike profile profile2

 keychain keychain2

 local-identity address 1.1.1.38

 match remote identity address 1.1.1.1 255.255.255.0

 proposal 1

#

MSR3610 configuration:

#

ipsec policy use213 3516 isakmp

 transform-set 1

 security acl name A_IPSEC

 remote-address 1.1.1.16

 ike-profile A

#

ipsec policy use213 3538 isakmp

 transform-set 1

 security acl name B_IPSEC A

 remote-address 1.1.1.38

 ike-profile B

#

ike profile A

keychain A

local-identity address 1.1.1.1

match remote identity address 1.1.1.16 255.255.255.0

proposal 1

#

ike profile B

keychain B

local-identity address 1.1.1.1

match remote identity address 1.1.1.38 255.255.255.0

proposal 1

#

Solution

It is recommended to set a more precise mask when configuring match remote to avoid inclusion with other ike profile addresses. The problem was solved after the customer changed the mask to 32 bits.

Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted