beautypg.com

Debugging ike error – Panasonic 8000 User Manual

Page 107

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

background image

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

The packets are sent from the interface that uses the IPSec policy group. The packets match
the ACL used in policy map2-10, and the packets should be protected by IPSec. The
corresponding SA, however, is performing IKE negotiation. The packets are then dropped.

---- Send IPSec packet -----------

Tunnel mode. Adding outer IP header succeed!

Src: 202.38.163.1 Dst: 202.38.162.1 SPI:U56810487 (0x44f386f7)

New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96

Authentication finished! New ESP(RFC2406)

Encryption finished! New ESP(RFC2406) SN:1

Now send i^t to IP output process ...

The display indicates:

IPSec encapsulation type: tunnel mode

Source address and destination address of the encapsulated IP header: 202.38.163.1 and

202.38.162.1

SPI: 0x44f386f7

ESP protocol, DES encryption algorithm, and MD5 authentication algorithm

After encryption and the authentication are complete, the encapsulated packets are sent
in an IP datagram.

---- Receive IPSec(ESP) packet---------------

Src: 202.38.162.1 Dst: 202.38.163.1 SPI:1918468181 (0x72598055

New ESP(RFC2406) Enc Alg:DES Auth Alg:HMAC-MD5-96

Replay Check ing Enab led! SN:1

ESP new input: Authentication succeed!

Decryption succeed!

Tunnel mode. Org Src : 10 .1.2.2 Org Dst: 10.1 .1.2

Now send it to IP input process

The preceding display indicates:

Source address and destination address of the encapsulated ESP packets header:

202.38.162.1 and 202.38.163.1

SPI: 0x72598055

Anti-replay detection : SN:1

Authentication algorithm: DES

Authentication algorithm: MD5

Decrypt ESP packets using DES after MD5 authentication succeeds

After ESP packets are decapsulated, the original IP packets are displayed, with the source
and destination addresses as 10.1.2.2 and 10.1.1.2.

debugging ike error

got NOTIFY of type INVALID_ID_INFORMATION

or

drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION

The preceding display indicates an invalid ID. The ID is applied to mark the sent data. So, in
actual applications, you need to set up different tunnels to protect different data from specified
users.

2-60

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

See also other documents in the category Panasonic Routers: