Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-36 Nortel Networks Inc. Issue 01.01 (30 March 2009)
Item Sub-item Description
Configure the IP
addresses or
address segments
of the peer
Configure the IP addresses or address segments for
an IKE peer. If high-ip-address is not specified,
configure only one IP address for an IKE peer.
Here, the IP address of the peer must be a unique
address because the IPSec policy template does
not use the IKE peer.
To configure IP addresses or address segments for
peers, run the remote-address [ vpn-instance
vpn-instance-name ] low-ip-address
[ high-ip-address ] command in the IKE proposal
view.
Configure the
peer name
The name is a string of 1 to 15 characters.
If the local authentication mode is “name,” you
must specify the peer name.
Enable NAT Enable NAT.
Configuring the
IPSec policy
template
— See the configuration notes for “Troubleshooting
SA setup using an IPSec policy template.”
Configuring the
IPSec policies
and applying the
IPSec policy
template
— See the configuration notes for “
Troubleshooting
SA setup using an IPSec policy template.”
Applying the
IPSec policy
group
— See the configuration notes for “Troubleshooting
SA setup using an IPSec policy template.”
Configure Router A, Firewall C, and Router B.
The commands listed in the following sections cover part of IPSec configuration. For more information,
see Nortel Secure Router 8000 Series Configuration Guide - Security (NN46240-600).
Firewall C
Configure routes and an address pool with addresses from 202.38.162.11 to 202.38.162.20 on
Firewall C. Enable NAT on the egress Ethernet 0/0/1.
For information about firewall configuration, see the related firewall configuration documentation.
Router A
For detailed configuration information and precautions, see the configuration notes for
“
Troubleshooting ISAKMP SA.”
1. Configure the IKE local ID.