Solution – H3C Technologies H3C S6300 Series Switches User Manual

265

[Sysname] display acl 3000

Advanced ACL 3000, named -none-, 2 rules,

ACL's step is 5

rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0

3.

Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the

IPsec transform set has all necessary settings configured.
If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will
fail:

[Sysname] display ipsec policy

-------------------------------------------

IPsec Policy: policy1

Interface: Vlan-interface1

-------------------------------------------

-----------------------------

Sequence number: 1

Mode: isakmp

-----------------------------

Description:

Security data flow: 3000

Selector mode: aggregation

Local address: 192.168.222.5

Remote address:

Transform set: transform1

IKE profile: profile1

SA duration(time based):

SA duration(traffic based):

SA idle time:

Solution

1.

If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove

the reference.

2.

If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL,
modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the

initiator's ACL.
For example:

[Sysname] display acl 3000

Advanced ACL 3000, named -none-, 2 rules,

ACL's step is 5

rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255

3.

Configure the missing settings (for example, the remote address).