Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-14 Nortel Networks Inc. Issue 01.01 (30 March 2009)
<RouterA> display ipsec sa policy map1
===============================
Interface: Ethernet0/2/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: manual
-----------------------------
encapsulation mode: tunnel
tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1
[inbound ESP SAs]
spi: 54321 (0xd431)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
[outbound ESP SAs]
spi: 12345 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
Use the display ipsec sa brief command to view brief information about IPSec SAs.
<RouterA> display ipsec sa brief
Src Address Dst Address SPI VPN Protocol Algorithm
-------------------------------------------------------------------
202.38.162.1 202.38.163.1 54321 0 ESP E:DES; A:HMAC-SHA1-96;
202.38.163.1 202.38.162.1 12345 0 ESP E:DES; A:HMAC-SHA1-96;
Compare the SA setup on Router A and Router B. If the SAs are not in retroactive agreement,
modify the incorrect SA configuration.
If the fault persists, contact Nortel technical support.
----End
2.3 Troubleshooting ISAKMP SA
This section covers the following topics:
z
Typical networking
z
Configuration notes
z
Troubleshooting flowchart
z
Troubleshooting procedure
2.3.1 Typical networking
Figure 2-5 shows the IPSec SA setup in ISAKMP mode.