4 troubleshooting procedure, 4 troubleshooting procedure -31, Troubleshooting procedure – Panasonic 8000 User Manual

Page 78

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

Nortel Secure Router 8000 Series
Troubleshooting - VAS__________

2 IPSec and IKE troubleshooting

2.4.4 Troubleshooting procedure

Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied.

Use the undo ipsec policy command on the IPSec tunnel ends.

Close the IPSec client on PC C. Ping PC A from PC C.

A failed ping indicates a faulty route or link between PC A and PC C. For information about
removing the fault, see

Nor^tel Secure Router 8000 Series Troubleshooting - IP Routing

(NN46240-706).

If the ping succeeds, the fault may be related to IPSec. Continue with the following steps.

Step 2 Check that IPSec tunnel setup is not triggered by the communication party applying the IPSec

policy template.

Ping PC A from PC C.

The IP address of PC C is uncertain, so on Router A, the IPSec template specifies no policy
rules. Router A should operate as the negotiation responsor.

Step 3 Check that SAs are set up in Phase 1 and Phase 2.

Refer to the troubleshooting procedure in “Troubleshooting ISAKMP SA.”

After SA setup succeeds in Phase 1 and Phase 2, continue with the following steps.

Step 4 Check IPSec policies:

Check whether the ACL used by the IPSec policy on the negotiation responder contains a
single rule.

If the peer is a PC with an uncertain IP address, the PC should have IPSec capability and
should have the related software installed. The details vary based on the applied software
and are not described here.

If the peer is a router with an uncertain IP address, ensure that the ACL contains a single
rule.

The ACL can be unspecified on the end using the IPSec policy template.

On the end using the IPSec policy template, if the peer has an unspecified IP address,

you need not configure the ACL used in the IPSec policy template.

The IP address can be unspecified on the end using the IPSec policy template.

On the end that uses the IPSec policy template, if the peer has an unspecified IP address,

you need not configure the IP address or address segment used in the IPSec policy
template.

Check whether the priority of the policy that uses the IPSec policy template is the lowest.

Within the same IPSec policy group, check whether the priority of the policy is the
lowest.

You can use the display ipsec policy name command to view details about IPSec policy
groups or the display ipsec policy brief command to view brief information.

<RouterA> display ipsec policy name map1

IPsec Policy Group: "map1"

Using local-address: {}

Using interface: {Gigabi^tEthernet1/0/1}

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

2-31

Advertising
Popular Brands
Popular manuals