Panasonic 8000 User Manual

Page 69

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

Use the display ike sa command to view SAs in Phase 1.

<RouterA> display ike sa

connection-id peer

14

202,38,162,1

VPN

f^lag

RDIST

1

phase

doi

IPSEC

The display indicates that in Phase 1, the SA on the peer 202.38.162.1 has been set up. If no

SA is displayed or the flag is not RD, it indicates that SA setup in Phase 1 fails.

You then need to check the IKE proposals and the IKE peer on the two ends.

1.

Check the IKE proposals configured on the tunnel ends.

Users can apply the default IKE proposal or specify flexible proposals. Use the display
ike proposal command to check whether configurations on both ends are the same.

<RouterA> display ike proposal

priori^ty authent^icatien authenticat^ion encryption D^ffie-Hellman duration

method

algorithm

algori^thm

group

(seconds)

default PRE_SHARED SHA

DES_CBC MODP_768

2.

Check the IKE peer on the tunnel ends.

Use the display ike peer name command to view the IKE peer.

<RouterA> display ike peer name routerb

86400

IKE Peer : routerb

exchange mode: aggress ive on phase 1

pre-shared-key: nortel

proposal:

local id type: name

peer ip address: 202.38.162.1

peer name: routerb

nat traversal: disable

If the SA is set up successfully in Phase 1, continue with the following steps.

Step 3 Check whether the SA is set up in Phase 2

Use the display ike sa command to view SAs in Phase 2.

<RouterA> display ike sa

connection-id peer

flag

VPN

phase

doi

15

202,38,162,1

RD|ST

0

2

IPSEC

14

202,38,162,1

RDIST

0

1

IPSEC

The preceding display indicates that in Phase 1 and Phase 2, SAs on the peer 202.38.162.1
have both been set up. If no SA is displayed or the flag is not RD, it indicates that SA setup in
Phase 2 fails.

After IKE SA setup in Phase 2 is complete, an IPSec SA is generated based on the Phase 2
IKE SA and then delivered to IPSec.

An IPSec SA has an inbound and an outbound. You can use the display ipsec sa policy
command to view IPSec SAs specified with IPSec policies.

2-22

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Advertising
Popular Brands
Popular manuals