Troubleshooting ike, Verifying the configuration – H3C Technologies H3C S12500-X Series Switches User Manual
Page 176
164
[SwitchB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[SwitchB-ike-profile-profile1] quit
# Create an IPsec policy entry, and specify the IPsec policy name as use1, the sequence number
as 10, and the IPsec SA setup mode as IKE.
[SwitchB] ipsec policy use1 10 isakmp
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
# Reference ACL 3101 to identify the traffic to be protected.
[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101
# Reference IPsec transform set tran1 for the IPsec policy.
[SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Specify IKE profile profile1 for the IPsec policy.
[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# Specify the card in slot 1 to forward the traffic for VLAN-interface 1.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] service slot 1
# Apply IPsec policy use1 to VLAN-interface 1.
[SwitchB-Vlan-interface1] ipsec apply policy use1
256B
Verifying the configuration
When there is traffic between Switch A and Switch B, IKE negotiation is triggered.
114B
Troubleshooting IKE
257B
IKE negotiation failed because no matching IKE proposals
were found
480B
Symptom
1.
The IKE SA is in Unknown state.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 192.168.222.5 Unknown IPSEC
Flags:
RD--READY RL--REPLACED FD-FADING
2.
When IKE event debugging and packet debugging are enabled, the following messages appear:
IKE event debugging message:
The attributes are unacceptable.
IKE packet debugging message:
Construct notification packet: NO_PROPOSAL_CHOSEN.