Summary, 8 faqs, Q: is the ipsec tunnel the same as the sa – Panasonic 8000 User Manual

Page 96: Q: what are guidelines for acl used in ipsec, 8 faqs -49

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

Advertising
background image

Nortel Secure Router 8000 Series
Troubleshooting - VAS__________

2 IPSec and IKE troubleshooting

Summary

If the keep-alive function of ISAKMP SA is disabled, you must remove the related SA
manually after the device is restarted.

2.8 FAQs

Q: In an unstable network, SAs cannot be set up or SAs are set up but the
communication between peers fails although the ACLs have matching security
proposals. Why?

A: The possible cause is that the router on one end restarts after SAs are set up.

Use the display ike sa command to check whether IKE SAs in Phase 1 are set up on
peers.

Use the display ipsec sa policy command to check whether IPSec SAs are set up on the
interfaces.

If the output shows that only one end is configured with an SA, use the reset ike sa
command to remove the SA and initiate a new negotiation.

Q. During IPSec debugging, the message "Got NOTIFY of type
NO_PROPOSAL_CHOSEN or drop message from A.B.C.D due to notification

type NO_PROPOSAL_CHOSEN" is displayed. What does this indicate?

A: The possible cause is that the negotiation ends have no matched proposal.

Check whether the IKE proposals on two ends are matched in Phase 1 negotiation.

Check whether the IPSec policy parameters, the IPSec proposals, the encryption
algorithm, and the authentication algorithm applied on two ends are matched in Phase 2

negotiation.

Q. How do I validate modified IPSec or IKE configurations?

A: If you modify IPSec or IKE parameters, such as parameters of IKE proposals, IKE peers,
or IPSec proposals, reapply the IPSec policy to the interface and then use the reset ike sa
command in the user view to validate the configuration.

Q: Is the IPSec tunnel the same as the SA?

A: The IPSec tunnel and SA are different. The IPSec tunnel is bidirectional while an SA is
unidirectional. An IPsec tunnel consists of two SAs with reverse directions.

Q: What are guidelines for ACL used in IPSec?

A: The guidelines are as follows:

Only the data flows matching ACL rules are protected.

Configure an ACL as required to permit data flows.

Avoid setting the keyword any randomly.

Issue 01.01 (30 March 2009)

Nortel Networks Inc.

2-49

Advertising
Popular Brands
Popular manuals