4 troubleshooting procedure, 4 troubleshooting procedure -12, Troubleshooting procedure – Panasonic 8000 User Manual

Page 59

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

2.2.4 Troubleshooting procedure

Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied.

Use the undo ipsec policy command on interfaces at the IPSec tunnel ends.

On PC A, ping PC B.

A failed ping indicates a faulty route or link between PC A and PC B. For information about
removing the fault, see

Nortel Secure Router 8000 Series Troubleshooting - IP Routing

(NN46240-706).

If the ping succeeds, the fault may be related to IPSec. Continue with the following steps.

Step 2 Check that ACLs used in IPSec policies at two ends are mutually mirroring.

Use the display acl 3101 command on Router A and Router B to check that the source and
destination addresses defined in the ACL rules are mutually mirroring.

# View the ACL on Router A.

<RouterA> display acl 3101

Advanced ACL 3101, 1 rule

Acl's step is 5

rule 5 permi^t ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (0 ti

mes matched)

# View the ACL on Router B.

<RouterB> display acl 3101

Advanced ACL 3101, 1 rule

Acl's step is 5

rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (0 ti

mes matched)

If the source and destination addresses are not mutually mirroring, modify the ACL rules. If
they are mutually mirroring, continue with the following steps.

Step 3 Check that IPSec proposals applied on the tunnel ends are consistent.

Use the display ipsec proposal name command on Router A and Router B to view whether
the configured IPSec proposals are consistent.

<RouterA> display ipsec proposal name tran!

IPsec proposal name : t^ran!

encapsulation mode: tunnel

t^ransform : esp-new

ESP protocol: authenticat^ion sha1-hmac-96, encryption des

If the IPSec proposals are different, modify them. Otherwise, continue with the following
steps.

Step 4 Check that IPSec policies are configured correctly.

Check whether IPSec policies are configured correctly and whether they are applied to the
specified interfaces.

Use the display ipsec policy name command to view the specified IPSec policy.

<RouterA> display ipsec policy name map1

2-12

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

Advertising
Popular Brands
Popular manuals