3Com 10014299 Network Router User Manual


 
594 CHAPTER 41: CONFIGURING IKE
for protecting different data streams. At present, we use the user IP address to
identify the user.
got NOTIFY of type INVALID_ID_INFORMATION
or
drop message from X.X.X.X due to notification type
INVALID_ID_INFORMATION
Check whether ACL contents in ipsec policy configured at interfaces of both
ends are compatible. It is recommended for the user to configure ACL of both
ends to mirror each other.
Unmatched policy
Enable the debugging ike error command to see the debugging information.
got NOTIFY of type NO_PROPOSAL_CHOSEN
or
drop message from X.X.X.X due to notification type
NO_PROPOSAL_CHOSEN
Both parties of negotiation have no matched policy. Check the protocol used by
ipsec policy configured on interfaces of both parties to see whether the
encryption algorithm and authentication algorithm are the same.
Unable to establish security channel
Follow these steps:
Check whether the state of network is stable and whether the security channel
has been properly established. You may encounter the situation as follows: the
two parties cannot communicate via the existing security channel, while the
access control list of two parties have been properly configured and there is a
matching policy. This case is generally due to a party restarting the router after
establishing the security channel.
Use the command display ike sa to check whether both parties have
established SA of Phase 1.
Use the command display ipsec sa policy to check whether the ipsec
policy
on interface has established IPSec SA.
If the above two results show that one party has SA but the other does not,
then use the command
reset ike sa to clear SA with error and re-originate
negotiation.