Справочник Пользователя для Huawei v200r001
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Versatile Routing Platform
Chapter 5
Configuration of IKE
5-8
Problem 1: Invalid user ID information
Troubleshooting: please follow the steps below.
User ID information is the data for the user originating IPSec communication to identify
itself. In practical applications we can use user ID to establish different security path for
protecting different data streams. At present we use the user IP address to identify the
user.
itself. In practical applications we can use user ID to establish different security path for
protecting different data streams. At present we use the user IP address to identify the
user.
got NOTIFY of type INVALID_ID_INFORMATION
or
drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION
Check whether ACL contents in cryptomap configured at interfaces of both ends are
compatible. It is recommended for the user to configure ACL of both ends to mirror
each other.
compatible. It is recommended for the user to configure ACL of both ends to mirror
each other.
Problem 2: Unmatched policy
Troubleshooting: please follow the steps below.
Enable the debug ike error command, you can see the debugging information.
got NOTIFY of type NO_PROPOSAL_CHOSEN
or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
Both parties of negotiation have no matched policy. Check the protocol used by
cryptomap configured on interfaces of both parties to see whether the encryption
algorithm and authentication algorithm are the same.
cryptomap configured on interfaces of both parties to see whether the encryption
algorithm and authentication algorithm are the same.
Problem 3: Unable to establish security channel
Troubleshooting: please follow the steps below.
Check whether the network is stable and the security channel is established correctly.
Sometimes there is a security channel but there is no way to communicate, and ACL of
both parties are checked to be configured correctly, and there is also matched policy. In
this case, the problem is usually cased by the restart of one router after the security
channel is established.
Sometimes there is a security channel but there is no way to communicate, and ACL of
both parties are checked to be configured correctly, and there is also matched policy. In
this case, the problem is usually cased by the restart of one router after the security
channel is established.
Solution:
1) Use the command show crypto ike sa to check whether both parties have
established SA of Phase 1.
2) Use the command show crypto ipsec sa map to check whether the cryptomap
on interface has established IPSec SA.
3) If the above two results show that one party has SA but the other does not, then
use the command clear crypto ike sa to clear SA with error and re-originate
negotiation.
negotiation.