Panasonic 8000 User Manual

Page 60

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

Nortel Secure Router 8000 Series
Troubleshooting - VAS__________

2 IPSec and IKE troubleshooting

IPsec Policy Group: "map1"

Using local-address: {}

Using interface: {Ethernet0/2/0}

IPsec policy name: "map1"

sequence number: 10

mode: manual

securi^ty data flow : 3101

tunnel local address: 202.38.163.1

tunnel remote address : 202.38 .162 .1

proposal name:t^ran!

inbound AH sett^ing:

AH spi^:

AH string-key:

AH authentication hex key:

inbound ESP set^ting:

ESP spi^: 54321 (0xd431)

ESP string-key: gfedcba

ESP encryption hex key:

ESP authentication hex key:

outbound AH setting:

AH spi^:

AH string-key:

AH authentication hex key:

outbound ESP setting:

ESP spi^: 12345 (0x3039)

ESP string-key: abcdefg

ESP encryption hex key:

ESP authentication hex key:

The preceding display indicates that the IPSec policy is applied to the interfaces. If it is not,
the following two items are null.

Using interface: { }

tunnel local address: 0.0.0.0

Note the following:

The IPSec tunnel is bidirectional. For one data flow, you must configure SAs on the
inbound direction and the outbound direction. Therefore, SPIs, authentication shared
keys, and encryption shared keys on the outbound of Router A should be the same as
those on the inbound of Router B, while SPIs, authentication shared keys, and encryption
shared keys on the inbound of Router A should be the same as those on the outbound of
Router B.

The local and remote addresses of the two tunnel ends on Router A and Router B should
be in retroactive agreement. That is, the tunnel local address of Router A is in agreement
with the tunnel remote address on Router B, and the tunnel remote address on Router A
is in agreement with tunnel local address on Router B.

If the configuration on the two ends is consistent, continue with the following steps.

Step 5 Check whether SAs are generated.

SAs are generated when some matched data passes the interface after IPSec policies are

applied. Use the display ipsec sa policy command to view the SA setup.

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

2-13

Advertising
Popular Brands
Popular manuals