Title: What can I do if I fail to configure the IPsec VPN on the Reyee EG? [Print this page] Author: zhangqiao@ruiji Time: 2024-11-14 15:19 Title: What can I do if I fail to configure the IPsec VPN on the Reyee EG? Cause Analysis:
1. Check whether devices from both ends have obtained the public ip address
(If the IP address is a public address, you can ping the management IP address of the device even if you do not access the device locally. However, it is not ruled out that ISPs will prohibit ping)
2. Check whether the device from branch and HQ can ping with each other
And if they can ping the ip address 8.8.8.8too(we can use the Network Tools on the device)
Note: Need to check whether device disable ping on both ends
4. Check if the upstream network has released relevant port traffic
The transmission of packets by EG can be verified through packet capture to determine if they are being sent normally, as well as to confirm if packets are being received as expected. If packet transmission appears normal, yet reception is not occurring as intended, it will be necessary for the customer to get in touch with their service provider or examine whether the uplink device permits IPsec VPN traffic through UDP port 500 and UDP port 4500.
Root Cause:
Device can not connect to the network,HQ(Brach) device is in the secondary NAT environment
The Configuration of IPsec VPN is not match(Pre-Share Key, Exchange Version,etc.)
Local IDs do not match between the HQ and branch
Uplink device not releasing the VPN port traffic
Solution:
1. If a device can not access the network:
Check the WAN port configuration, whether the device has obtained the public ip address( PPPoE/DHCP/Static), whether the VLAN tag needs to be configured. If a device can not access the network,we need to confirm with ISP side to make sure there is no network issue
2. If a device works in the secondary NAT environment, not obtain the public ip address
For example, when a device only acquires a private IP address, it is essentialto configure port mapping on the upstream device to forward the VPN port of the downstream device.
Additionally: you may need to set upa DMZ on the upstream device to forward all ports to the downstream devices. Port mapping:This configuration is configured on the upstream device, not on the device that has obtained the private network address
The following is the port mapping configuration, which is similar to the port mapping configuration of other manufacturers
Compare and revise the relevant configuration according to the following configuration:
You can focus on the following error-prone content:
1) The Pre-Shared key needs to match
2) Conversion set to be configured
3) IKE version should match(IKV1/LEV2)
4) The stream configuration of interest shouldmatch
4. Revision and matching of local ID configurations on both sides.
5. The customer needs to contact the operator to release the relevant port traffic
Welcome to Ruijie Community (https://community.ruijienetworks.com/)
