Manualshelf

Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000
81828384858687888990
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-42 Nortel Networks Inc. Issue 01.01 (30 March 2009)
Use the display ipsec proposal name command to view if the specified IPSec proposals on
two ends are the same.
<RouterA> display ipsec proposal name tran1
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication sha1-hmac-96, encryption des
Use the preceding command on Router A and Router B to view the constraint conditions. If
the IPSec proposals are correct, continue with the following steps.
Step 6 Check that IPSec can encapsulate or decapsulate inbound and outbound packets.
Use the debugging ipsec packet command to view if IPSec can encapsulate or decapsulate
packets.
You can also use the display ipsec statistics command to view IPSec statistics. See the
troubleshooting procedure for “
Troubleshooting ISAKMP SA.”
Step 7 Check that IPSec tunnel ends in the external and internal NAT network are routable.
If Router B has no route to 10.1.1.0/24, use the debugging ipsec packet and the display ipsec
statistics commands to determine the following:
z
Router A can send the encapsulated IPSec packets but cannot decapsulate packets.
z
Router B can receive and decapsulate IPSec packets but cannot encapsulate packets.
In this case, you need to specify a route to 10.1.1.0/24 on Router B.
In the internal NAT network, Router A uses the private IP address. It is not advisable to configure a
private route from Router B to Router A. In an actual application, PC A and PC B are configured with
loopback addresses.
If the fault persists, contact Nortel technical support.
----End
2.6 Troubleshooting GRE over IPSec or L2TP over IPSec
This section covers the following topics:
z
Typical networking
z
Configuration notes
z
Troubleshooting flowchart
z
Troubleshooting procedure
2.6.1 Typical networking
The basic concepts of GRE over IPSec and L2TP over IPSec are the same. That is, the tunnel
is first encapsulated with GRE or L2TP and then with IPSec. The processing of IPSec packets
and common IP packets is almost the same. In practice, IPSec packets are the data transmitted
on two IPSec tunnel ends.
Figure 2-12 shows GRE over IPSec. The troubleshooting procedure is based on this diagram.