Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000

Nortel Secure Router 8000 Series

Troubleshooting - VAS 2 IPSec and IKE troubleshooting

Issue 01.01 (30 March 2009) Nortel Networks Inc. 2-23

<RouterA> display ipsec sa policy map1

===============================

Interface: Ethernet4/2/0

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "map1"

sequence number: 10

mode: isakmp

-----------------------------

connection id: 37

encapsulation mode: transport

tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1

[inbound ESP SAs]

spi: 2940433602 (0xaf4374c2)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436496/708

max received sequence-number: 4

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 3424984209 (0xcc251c91)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436448/708

max sent sequence-number: 5

udp encapsulation used for nat traversal: N

You can also use the display ipsec sa brief command to display brief information about

IPSec SAs.

<RouterA> display ipsec sa brief

Src Address Dst Address SPI Protocol Algorithm

--------------------------------------------------------------

202.38.162.1 202.38.163.1 1918468181 ESP E:DES; A:HMAC-SHA1-96;

202.38.163.1 202.38.162.1 1156810487 ESP E:DES; A:HMAC-SHA1-96;

If SA setup in Phase 2 fails, the reasons are as follows:

IPSec proposals or IPSec policies configured on the peer are mismatched.

ACLs at two ends are not mutually mirroring.

You can use the display ipsec proposal name command and the display ipsec policy name

command on two ends to view IPSec proposals and policies and check whether ALCs are

mutually mirroring.

For more information, see “

Troubleshooting manual IPSec SA setup .”

If the SA is set up successfully in Phase 2, continue with the following steps.

Step 4 Check whether IPSec can encapsulate or decapsulate packets based on the SA.

Use the debugging ipsec packet command to view IPSec packet encapsulation and

decapsulation. You can also use the display ipsec statistics command to view IPSec statistics.

<RouterA> display ipsec statistics

the security packet statistics:

input/output security packets: 56/56

input/output security bytes: 4816/5600

input/output dropped security packets: 0/2