3com 3031 Instruccion De Instalación
870
C
HAPTER
61: IKE C
ONFIGURATION
The two parties of the negotiation have no matched proposal. For the negotiation
at stage 1, you can look up the IKE proposals for a match. For the negotiation at
stage 2, you can check whether the parameters of the IPSec polices applied on the
interfaces are matched, and whether the referenced IPSec proposals have a match
in protocol, encryption and authentication algorithms.
at stage 1, you can look up the IKE proposals for a match. For the negotiation at
stage 2, you can check whether the parameters of the IPSec polices applied on the
interfaces are matched, and whether the referenced IPSec proposals have a match
in protocol, encryption and authentication algorithms.
Symptom 3: Unable to establish security channel
Troubleshooting: Check whether the network is stable and the security channel is
established correctly. Sometimes there is a security channel but there is no way to
communicate, and ACL of both parties are checked to be configured correctly, and
there is also matched policy.
established correctly. Sometimes there is a security channel but there is no way to
communicate, and ACL of both parties are checked to be configured correctly, and
there is also matched policy.
In this case, the problem is usually cased by the restart of one router after the
security channel is established. Solution:
security channel is established. Solution:
■
Use the command
display ike sa
to check whether both parties have
established SA of Phase 1.
■
Use the command
display ipsec sa
to check whether the ipsec policy on
interface has established IPSec SA.
■
If the above two results display that one party has SA but the other does not,
then use the command
then use the command
reset ike sa
to clear SA with error and re-originate
negotiation.