Panasonic 8000 User Manual

Page 70

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

Nortel Secure Router 8000 Series
Troubleshooting - VAS__________

2 IPSec and IKE troubleshooting

<RouterA> display ipsec sa policy map1

Interface: Ethernet4/2/0

path MTU : 1500

IPsec policy name: "map1"

sequence number: 10

mode: isakmp

connection id: 37

encapsulation mode: transport

tunnel local : 202.38 .163.1 tunnel remote: 202.38.162.1

[inbound ESP SAs]

sp^: 2940433602 (0xaf4374c2)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa remaining key durat^ion (bytes/sec): 1887436496/708

max received sequence-number: 4

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

sp^: 3424984209 (0xcc251c91)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa remaining key duration (bytes/sec): 1887436448/708

max sent sequence-number: 5

udp encapsulation used for nat traversal: N

You can also use the display ipsec sa brief command to display brief information about
IPSec SAs.

<RouterA> display ipsec sa brief

Src Address Dst Address SPI

Protocol Algorithm

202.38.162.1

202.38.163.1

1918468181

ESP

202.38.163.1

202.38.162.1

1156810487

ESP

E:DES; A :HMAC-SHA1-96;

E:DES; A :HMAC-SHA1-96;

If SA setup in Phase 2 fails, the reasons are as follows:

IPSec proposals or IPSec policies configured on the peer are mismatched.

ACLs at two ends are not mutually mirroring.

You can use the display ipsec proposal name command and the display ipsec policy name
command on two ends to view IPSec proposals and policies and check whether ALCs are

mutually mirroring.

For more information, see “Troubleshooting manual IPSec SA setup .”

If the SA is set up successfully in Phase 2, continue with the following steps.

Step 4 Check whether IPSec can encapsulate or decapsulate packets based on the SA.

Use the debugging ipsec packet command to view IPSec packet encapsulation and
decapsulation. You can also use the display ipsec statistics command to view IPSec statistics.

<RouterA> display ipsec statistics

the security packet statistics:

input/output security packets : 56/56

input/output security bytes: 4816/5600

input/output dropped security packets: 0/2

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

2-23

Advertising
Popular Brands
Popular manuals