There is already a national cryptographic IPsec tunnel on the same device. Adding a regular tunnel causes IKE phase 1 to fail.

Two firewalls are directly connected on-site. According to the network protection requirements, an IPsec needs to be established. Previously, a national cryptographic IPsec was set up on the local device. Now, a regular IPsec tunnel needs to be added. The peer side has no IPsec tunnels.

Currently, Phase 1 cannot be established. The IKE SA shows unknown on the local side, and the peer side has no IKE SA information.

Local end 172.xx.xxx.41

Peer end 172.xx.xxx.42

When adding an IPsec tunnel with a pre-shared key (PSK) under the condition that a national cryptographic IPsec already exists, phase one fails to establish

 Debugging on this end shows that the negotiation is still going through the national encryption protocol, indicating that there is a problem with the IKE proposal apply.

Check the local IKE configuration

#

ike profile profile10

keychain keychain1

match remote identity address 172.19.251.42 255.255.255.252

It was found that no proposal was invoked. If no proposal is invoked, the device will select the proposal with the smallest ike proposal value based on precedence. Note that the default proposal has the lowest precedence. The smaller the ike proposal value, the higher the precedence

Therefore, the newly added IPsec tunnel selected the high-priority national secret proposal.

Configure a proposal with high precedence. The default configuration is pre-shared key. No modification is needed. Just use the proposal with empty configuration directly.

Then call this in the profile.