Ruijie Community

Title: IKE security association (SA) negotiation fails at the first stage of IPsec VPN implementation. [Print this page]

Author: admin Time: 2017-5-4 20:08
Title: IKE security association (SA) negotiation fails at the first stage of IPsec VPN implementation.
IKE security association(SA) negotiation fails at the first stage of IPsec VPN implementation.

Author: admin Time: 2017-5-4 20:09

1. Check whether the correct peers are specified at the local end and peer end respectively. (If a dynamic diagram is used at the local end, no peer needs to be specified manually.)

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1 //The IP address of the peer end must be the IP address of the crypto map interface configured at the peer end, and cannot be the loopback address.

2. Check whether the IP address of the crypto map interface configured at the peer end can be pinged from the local end, and vice versa.

3. Check whether both ends of the tunnel have consistent IKE security proposal configuration.

4. Check whether both ends of the tunnel have consistent pre-share key configuration.

5. If the problem persists, run the following commands at the local end and peer end respectively, and submit a case on Ruijie Service Portal to seek for help.

sh version

show run

Run the following commands to enable debugging, trigger IPsec negotiation, and collect debugging information:

debug crypto iskamp

debug crypto ipsec

After negotiation, run the following commands to display the SA information at the first and second stages of IPsec VPN implementation:

show crypto iskamp sa

show crypto ipsec sa

Welcome to Ruijie Community (https://community.ruijienetworks.com/)