Entering a peer public key, Displaying and maintaining public keys – H3C Technologies H3C S12500-X Series Switches User Manual
Page 180
168
# On the responder:
[Sysname] display acl 3000
Advanced ACL 3000, named -none-, 2 rules,
ACL's step is 5
rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0
3.
Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the
IPsec transform set has all necessary settings configured.
If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will
fail:
[Sysname] display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: Vlan-interface1
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: isakmp
-----------------------------
Description:
Security data flow: 3000
Selector mode: aggregation
Local address: 192.168.222.5
Remote address:
Transform set: transform1
IKE profile: profile1
SA duration(time based):
SA duration(traffic based):
SA idle time:
491B
Solution
1.
If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove
the reference.
2.
If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL,
modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the
initiator's ACL.
For example:
[Sysname] display acl 3000
Advanced ACL 3000, named -none-, 2 rules,
ACL's step is 5
rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
3.
Configure the missing settings (for example, the remote address).