302
# Reference IKE peer peer.
[SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer
[SwitchB-ipsec-policy-isakmp-use1-10] quit
# Apply the IPsec policy to VLAN-interface 1.
[SwitchB-Vlan-interface1] ipsec policy use1
Verifying the configuration
After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with
Switch B when receiving the first packet. IKE proposal matching starts with the one having the highest
priority. During the matching process, lifetime is not involved but it is determined by the IKE negotiation
parties.
Troubleshooting IKE
When you configure parameters to establish an IPsec tunnel, enable IKE error debugging to locate
configuration problems:
<Switch> debugging ike error
Invalid user ID
Symptom
Invalid user ID.
Analysis
In IPsec, user IDs are used to identify data flows and to set up different IPsec tunnels for different data
flows. Now, the IP address and username are used as the user ID.
The following is the debugging information:
got NOTIFY of type INVALID_ID_INFORMATION
Or
drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION
Solution
Check that the ACLs in the IPsec policies configured on the interfaces at both ends are compatible.
Configure the ACLs to mirror each other. For more information about ACL mirroring, see the chapter
"IPsec configuration."
Proposal mismatch
Symptom
The proposals mismatch.
Analysis
The following is the debugging information:
got NOTIFY of type NO_PROPOSAL_CHOSEN
Or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
To Next Page
Loading...
Need help?
General