Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-34 Nortel Networks Inc. Issue 01.01 (30 March 2009)
Item Sub-item Description
Configure other
items
See the configuration notes for “Troubleshooting
ISAKMP SA.”
Configuring the
local ID for IKE
Configure the
local ID for IKE
You must configure a local ID for IKE because
NAT traversal uses aggressive IKE negotiation
and the local name is configured as the local
authentication type.
Configuring the
IPSec proposal
— See the configuration notes for “Troubleshooting
ISAKMP SA.”
Configure the
IKE peer name
The name is a string of 1 to 15 characters.
Configure the
IKE negotiation
mode
Use aggressive negotiation mode.
Configure the
sequence number
of IKE proposals
Use the default IKE proposal in aggressive mode.
Configure the
local ID type
Specify the local name as the local ID.
Configure the
authenticator
Currently, only the pre-shared key authentication
type is applicable.
You must configure shared keys on the peer. The
shared keys of two ends in the same SA must be
the same.
Configure the IP
address or address
segments of the
peer
Configure the IP addresses or address segments
for the IKE peer. If high-ip-address is not
specified, configure only one IP address for the
IKE peer.
Here, the IP address of the peer must be a unique
address because the IPSec policy template does
not use the IKE peer.
To configure IP addresses or address segments for
peers, run the remote-address [ vpn-instance
vpn-instance-name ] low-ip-address
[ high-ip-address ] command in the IKE proposal
view.
Configure the
peer name
The name is a string of 1 to 15 characters.
If the local authentication mode is “name,” you
must specify the peer name.
Configuring the
IKE peer
Enable NAT Enable NAT.
Configuring the
IPSec policy
— See the configuration notes for “Troubleshooting
ISAKMP SA.”