Verifying the configuration, Troubleshooting ike, Symptom – H3C Technologies H3C S6300 Series Switches User Manual

261

# Specify the plaintext abcde as the pre-shared key to be used with the remote peer at 1.1.1.1.

[SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key

simple 12345zxcvb!@#$%ZXCVB

[SwitchB-ike-keychain-keychain1] quit

# Create IKE profile profile1.

[SwitchB] ike profile profile1

# Specify IKE keychain keychain1

[SwitchB-ike-profile-profile1] keychain keychain1

# Configure a peer ID with the identity type of IP address and the value of 1.1.1.1.

[SwitchB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0

[SwitchB-ike-profile-profile1] quit

# Create an IPsec policy entry, and specify the IPsec policy name as use1, the sequence number
as 10, and the IPsec SA setup mode as IKE.

[SwitchB] ipsec policy use1 10 isakmp

# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.

[SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1

# Reference ACL 3101 to identify the traffic to be protected.

[SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101

# Reference IPsec transform set tran1 for the IPsec policy.

[SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1

# Specify IKE profile profile1 for the IPsec policy.

[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1

[SwitchB-ipsec-policy-isakmp-use1-10] quit

# Apply IPsec policy use1 to VLAN-interface 1.

[SwitchB] interface vlan-interface 1

[SwitchB-Vlan-interface1] ipsec apply policy use1

Verifying the configuration

When there is traffic between Switch A and Switch B, IKE negotiation is triggered.

Troubleshooting IKE

IKE negotiation failed because no matching IKE proposals

were found

Symptom

1.

The IKE SA is in Unknown state.

display ike sa

Connection-ID Remote Flag DOI

------------------------------------------------------------------

1 192.168.222.5 Unknown IPSEC

Flags:

RD--READY RL--REPLACED FD-FADING