Verifying the Configuration of Automatic IPsec SA Negotiation (IKE)

Verify the configurations of automatic IPsec SA negotiation (IKE).

Prerequisites

The IPsec tunnel in IKE automatic negotiation mode has been configured.

Procedure

  1. Check whether the IPsec VPN is available.

    In this example, intranet Device A and Device B are on two ends of an IPsec tunnel. Configure Device A to ping Device B.

    • If the ping succeeds, the IPsec VPN is established.

    • If the ping fails, the IPsec VPN is not established. This is because that intranet or Internet routes are unavailable, or the IPsec configuration is incorrect.

  2. Check whether the route between each intranet device and the IPsec gateway is available, and whether the route between the IPsec gateways is available. If a route is unavailable, configure the route again. If the routes are available, check the IPsec configurations.
  3. Run the display ipsec statistics command to check statistics about packets encapsulated and decapsulated by IPsec.
  4. Run the display ike sa [ remote ip-address | verbose { remote ip-address | conn_id connid slot slot-id | peer peer-name [ identity identity ] } | slot slot-id | peer peer-name [ identity identity ] ] command to check SA establishment information.
  5. If an SA is not established, run the following commands in the user view to check the IPsec configurations.

    1. Run the display ike proposal command to check IKE proposal configurations. Ensure that the same encryption algorithm, authentication method, authentication algorithm, and DH group ID are configured on both ends of the IPsec tunnel.
    2. Run the display ike peer [ name peer-name | brief ] command to check IKE peer configurations. Ensure that the same IKE version and authentication mode are configured on both ends of the IPsec tunnel.
    3. Run the display ipsec proposal command to check IPsec proposal configurations. Ensure that the same encapsulation mode, security protocol, encryption algorithm, and authentication algorithm are configured on both ends of the IPsec tunnel.
    4. Run the display ipsec policy-template [ brief | name policy-template-name [ seq-number ] ] command to check information about an IPsec policy template.
    5. Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to check information about an IPsec policy.
    6. Run the display ipsec sa command to check SA configurations. Ensure that the SA configurations on both ends of the IPsec tunnel match.
  6. Run the display ike statistics { all | msg | v2 } [ slot slot-id ] command to check IKE packet statistics.
  7. Run the display ike offline history [ peer-ip peer-ip [ vpn-instance-name vpn-instance-name ] [ port port ] ] [ slot slot-id ] command to check historical IKE SA logout information.
  8. Run the display ike error history [ peer-ip peer-ip [ vpn-instance-name vpn-instance-name ] [ port port ] ] [ slot slot-id ] command to check information about IKE SA negotiation failures.
  9. Run the display ipsec sa-expire statistics command to check statistics about expired SAs.
Parent Topic: Configuring Automatic IPsec SA Negotiation (IKE)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic