< Home

IPSec Diagnosis

This section describes the IPSec diagnosis methods.

You can apply the following method for IPSec faults.

  1. Choose Monitor > Diagnosis Center.
  2. Click IPSec Diagnosis.

  3. Configure IPSec diagnosis.

    Based on the fault symptom, IPSec faults can be divided into the following types:
    • The IPSec tunnel fails to be established (tunnel negotiation fails).
    • The service is abnormal after the IPSec tunnel is successfully established (encrypted data flows fail to be forwarded).
    Accordingly, in Diagnosis Center > IPSec Diagnosis, both Negotiate Tunnel and Data-Flow can be the diagnosis object.
    • If the IPSec tunnel fails to be established, select Negotiate Tunnel as the diagnosis object.
    • If the service is abnormal after the IPSec tunnel is successfully established, select Data-Flow as the diagnosis object.
    Table 1 IPSec diagnosis configuration item

    Diagnose Object

    Configuration Item

    Note

    Negotiate Tunnel

    IPSec Policy Name

    Name of an existing IPSec policy, based on which diagnosis is performed.

    Local Interface

    Local Interface is automatically filled in with the name of the interface on which the IPSec policy selected in IPSec Policy Name is applied. If the IPSec policy is applied on multiple interfaces, you can select one interface for diagnosis in the drop-down list.

    NOTE:

    Diagnosis of the IPSec policy with the local interface being the tunnel interface is not supported.

    Diagnosis Mode

    Diagnosis mode, which can be Proactively Initiate Negotiation and Receive Packets from Peer.

    Details are as follows:
    • Proactively Initiate Negotiation: Applicable in local point-to-point scenarios where the IPSec policy has the peer address configured.
    • Receive Packets from Peer: Not applicable in scenarios where the IPSec policy of the peer device is configured in point-to-multipoint mode (template mode).

    Peer Address

    Peer address, which can be the interface address used for IPSec tunnel negotiation at the peer end if the local IPSec policy does not have the peer address configured.

    Data-Flow

    Source IP Address

    Source IP address. Encrypted data flows matching this source IP address are diagnosed.

    Destination IP Address

    Destination IP address. Encrypted data flows matching this destination IP address are diagnosed.

    Protocol

    Protocol type, which can be TCP or UDP.

    After you specify a protocol type, you can diagnose encrypted data flows matching this protocol type.

    Source Port

    Source port. Encrypted data flows matching this source port are diagnosed.

    Destination Port

    Destination port. Encrypted data flows matching this destination port are diagnosed.

  4. Click Diagnose to obtain the diagnosis information.
  5. Optional: Click Export to export the diagnosis information to the default path.

Follow-Up Procedure

Check the IPSec diagnosis information and troubleshoot the identified faults.

According to different diagnose modes, the system can provide different diagnose items. A fault-free item is marked with , and a faulty item is marked with with a reference solution in the Diagnosis Result column.

The different diagnose results maybe diagnosed by different IPSec diagnose modes are shown in Table 2.

Table 2 Diagnose results diagnosed by different IPSec diagnose modes

Diagnose Mode

Diagnose Item

Diagnose Result

Negotiate Tunnel

Security Policy

In the P2P scenario, when the local device proactively initiates a tunnel negotiation packet, the diagnose result only includes the name of the security policy that the packet matches and the action.

You can click the security policy name to display the security policy configuration page.

A maximum of five security policies that the packet matches can be displayed.

NAT Policy

In the P2P scenario, when the local device proactively initiates a tunnel negotiation packet, the diagnose result only includes the name of the NAT policy that the packet matches and the translation mode.

You can click the NAT policy name to display the NAT policy configuration page.

A maximum of five NAT policies that the packet matches can be displayed.

IPSec Policy on an interface
  • Applied.
  • Not applied.

Negotiation Mode
  • Supported.
  • Not supported. Diagnosis supports only non-template IKE negotiation.

An IPSec sub-policy that can initiate negotiation is configured on the interface:
  • Found.
  • Not found (Possible cause: The negotiation mode is not supported (because the diagnosis supports only the non-template IKE negotiation), the action for local data flows is deny, or the flow does not match any ACL.)

IPSec Policy Configuration Completeness
  • The configuration is complete.
  • The configuration is not complete.
    NOTE:

    The possible detailed reasons are as follows:

    • The IPSec policy is not applied on the interface.
    • No pre-shared key is configured.
    • The certificate is not configured.
    • No route destined for the peer IP address exists.
    • The local IP address is configured incorrectly.

Negotiation Result in Phase 1
  • No IPSec policy is applied to the interface which sends packets to the IP address of the peer gateway.
  • No matched IKE peer is found because the peer gateway address or exchange mode or ike version or the peer id is incorrectly configured.
  • Authentication fails because some of the settings of the certificate, pre-shared key, or remote name are not matched.
  • Time out. The peer does not return any negotiation failure messages (Possible cause: The exchange mode, ike version, encapsulation mode, encryption algorithm, authentication algorithm, DH group, or integrity algorithm is not matched.) or the route is unreachable.
NOTE:

Only four possible diagnose results are displayed here. Please solve the specific troubles according to the actual diagnose results together with the references.

Negotiation Result in Phase 2
  • Negotiation succeeded.
  • The tunnel already exists.
  • The configuration of data flows is multi-flow, IKEv1 not supported. Please verify the configuration of data flows.
  • Time out. The peer does not return any negotiation failure messages (Possible cause: The encapsulation mode, encryption algorithm, authentication algorithm, DH group, or integrity algorithm is not matched.) or the route is unreachable.
NOTE:

Only four possible diagnose results are displayed here. Please solve the specific troubles according to the actual diagnose results together with the references.

Data-Flow

Security Policy

The diagnose result includes the name of the security policy that data flows to be encrypted matches by 5-tuple and the action.

You can click the security policy name to display the security policy configuration page.

A maximum of five security policies that data flows to be encrypted matches can be displayed.

NAT Policy

The diagnose result includes the name of the NAT policy that data flows to be encrypted matches by 5-tuple and the translation mode.

You can click the NAT policy name to display the NAT policy configuration page.

A maximum of five NAT policies that data flows to be encrypted matches can be displayed.

Interface Status
  • Physical status: Up; Protocol status: Up
  • Physical status: Up; Protocol status: Down
  • Physical status: Down; Protocol status: Down

IPSec Policy on an interface
  • Applied.
  • Not applied.

IPSec Policy Matching Data Flow
  • Not found. (Possible causes: The negotiation mode is not supported, or the data flow to be diagnosed does not match that configured on the local end. Diagnosis supports only non-template IKE negotiation.)
  • IPSec policy name
Parent Topic: Configuring the Diagnosis Center Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >