Configuring a peer public key – H3C Technologies H3C S12500-X Series Switches User Manual

167

Local IP: 192.168.222.5

Local ID type: IPV4_ADDR

Local ID: 192.168.222.5

Remote IP: 192.168.222.71

Remote ID type: IPV4_ADDR

Remote ID: 192.168.222.71

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: MD5

Encryption-algorithm: 3DES-CBC

Life duration(sec): 86400

Remaining key duration(sec): 85847

Exchange-mode: Main

Diffie-Hellman group: Group 1

NAT traversal: Not detected

# Verify that the IPsec policy is referencing an IKE profile.

[Sysname] display ipsec policy

-------------------------------------------

IPsec Policy: policy1

Interface: Vlan-interface1

-------------------------------------------

-----------------------------

Sequence number: 1

Mode: isakmp

-----------------------------

Description:

Security data flow: 3000

Selector mode: aggregation

Local address: 192.168.222.5

Remote address: 192.168.222.71

Transform set: transform1

IKE profile: profile1

SA duration(time based):

SA duration(traffic based):

SA idle time:

2.

Verify that the ACL referenced by the IPsec policy is correctly configured. If the flow range defined
by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching

will fail.
For example, if the initiator's ACL defines a flow from one network segment to another but the
responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.
# On the initiator:

[Sysname] display acl 3000

Advanced ACL 3000, named -none-, 2 rules,

ACL's step is 5

rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255