Manualshelf

Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000
51525354555657585960
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-12 Nortel Networks Inc. Issue 01.01 (30 March 2009)
2.2.4 Troubleshooting procedure
Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied.
Use the undo ipsec policy command on interfaces at the IPSec tunnel ends.
On PC A, ping PC B.
A failed ping indicates a faulty route or link between PC A and PC B. For information about
removing the fault, see Nortel Secure Router 8000 Series Troubleshooting - IP Routing
(NN46240-706).
If the ping succeeds, the fault may be related to IPSec. Continue with the following steps.
Step 2 Check that ACLs used in IPSec policies at two ends are mutually mirroring.
Use the display acl 3101 command on Router A and Router B to check that the source and
destination addresses defined in the ACL rules are mutually mirroring.
# View the ACL on Router A.
<RouterA> display acl 3101
Advanced ACL 3101, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (0 ti
mes matched)
# View the ACL on Router B.
<RouterB> display acl 3101
Advanced ACL 3101, 1 rule
Acl's step is 5
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (0 ti
mes matched)
If the source and destination addresses are not mutually mirroring, modify the ACL rules. If
they are mutually mirroring, continue with the following steps.
Step 3 Check that IPSec proposals applied on the tunnel ends are consistent.
Use the display ipsec proposal name command on Router A and Router B to view whether
the configured IPSec proposals are consistent.
<RouterA> display ipsec proposal name tran1
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication sha1-hmac-96, encryption des
If the IPSec proposals are different, modify them. Otherwise, continue with the following
steps.
Step 4 Check that IPSec policies are configured correctly.
Check whether IPSec policies are configured correctly and whether they are applied to the
specified interfaces.
Use the display ipsec policy name command to view the specified IPSec policy.
<RouterA> display ipsec policy name map1
===========================================