Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-8 Nortel Networks Inc. Issue 01.01 (30 March 2009)
Item Sub-item Description
Configure the SPIs of
SAs
Configure SAs on inbound and outbound
directions.
Note the following:
z
SA parameters on both ends should
match.
z
The SPI on the local inbound direction
should be the same as that on the
outbound direction of the peer.
z
The SPI on the local outbound direction
should be the same as that on the inbound
direction of the peer.
Configure the
authentication shared
keys for SAs
Configure the authentication shared keys
both on inbound and outbound directions.
Note the following:
z
SA parameters on the two ends should
match.
z
The authentication shared key on the local
inbound should be the same as that on the
outbound of the peer.
z
The authentication shared key on the local
outbound direction should be the same as
that on the inbound direction of the peer.
The shared key has two formats:
z
hexadecimal numerals
z
character string
Use the sa string-key command to enter a
character string or use the
sa authentication-hex command to enter
hexadecimal numerals.
If both formats are used, the format used
last takes effect.
Note: Use the same shared key format on
the two ends. For example, if the shared key
is a character string on one end but is in
hexadecimal numeral format on the other,
the IPSec tunnel cannot be set up.
Configure the
encryption shared keys
for SAs
If the ESP protocol is used, configure the
encryption shared key.