Please select To the mobile version | Continue to access the desktop computer version
 Forgot password?
 Register now


Router

View: 4479|Reply: 1

IKE security association (SA) negotiation fails at the first stage of IPsec VPN implementation.

[Copy link]

14

Digests

1028

Posts

1161

Credits

administrator

Rank: 9Rank: 9Rank: 9

Credits
1161
Post time 2017-5-4 20:08:15 | Show all posts |Read mode
IKE security association(SA) negotiation fails at the first stage of IPsec VPN implementation.
Reply

Use magic Report

14

Digests

1028

Posts

1161

Credits

administrator

Rank: 9Rank: 9Rank: 9

Credits
1161
 Author| Post time 2017-5-4 20:09:07 | Show all posts
1. Check whether the correct peers are specified at the local end and peer end respectively. (If a dynamic diagram is used at the local end, no peer needs to be specified manually.)
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1 //The IP address of the peer end must be the IP address of the crypto map interface configured at the peer end, and cannot be the loopback address.

2. Check whether the IP address of the crypto map interface configured at the peer end can be pinged from the local end, and vice versa.

3. Check whether both ends of the tunnel have consistent IKE security proposal configuration.

4. Check whether both ends of the tunnel have consistent pre-share key configuration.

5. If the problem persists, run the following commands at the local end and peer end respectively, and submit a case on Ruijie Service Portal to seek for help.
sh version
show run
Run the following commands to enable debugging, trigger IPsec negotiation, and collect debugging information:
debug crypto iskamp
debug crypto ipsec

After negotiation, run the following commands to display the SA information at the first and second stages of IPsec VPN implementation:
show crypto iskamp sa
show crypto ipsec sa

Reply Support Not support

Use magic Report

You have to log in before you can reply Login | Register now