Huawei v200r001 user manual Problem 1 Invalid user ID information

Page 14

User Manual - Configuration Guide (Volume 3)

Chapter 5

Versatile Routing Platform

Configuration of IKE

Problem 1: Invalid user ID information

Troubleshooting: please follow the steps below.

User ID information is the data for the user originating IPSec communication to identify itself. In practical applications we can use user ID to establish different security path for protecting different data streams. At present we use the user IP address to identify the user.

got NOTIFY of type INVALID_ID_INFORMATION

or

drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION

Check whether ACL contents in cryptomap configured at interfaces of both ends are compatible. It is recommended for the user to configure ACL of both ends to mirror each other.

Problem 2: Unmatched policy

Troubleshooting: please follow the steps below.

Enable the debug ike error command, you can see the debugging information.

got NOTIFY of type NO_PROPOSAL_CHOSEN

or

drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN

Both parties of negotiation have no matched policy. Check the protocol used by cryptomap configured on interfaces of both parties to see whether the encryption algorithm and authentication algorithm are the same.

Problem 3: Unable to establish security channel

Troubleshooting: please follow the steps below.

Check whether the network is stable and the security channel is established correctly. Sometimes there is a security channel but there is no way to communicate, and ACL of both parties are checked to be configured correctly, and there is also matched policy. In this case, the problem is usually cased by the restart of one router after the security channel is established.

Solution:

1)Use the command show crypto ike sa to check whether both parties have established SA of Phase 1.

2)Use the command show crypto ipsec sa map to check whether the cryptomap on interface has established IPSec SA.

3)If the above two results show that one party has SA but the other does not, then use the command clear crypto ike sa to clear SA with error and re-originate negotiation.

5-8

Page 13 Page 15
Image 14
Page 13 Page 15
Contents Huawei V200R001Manual Version T2-080168-20011213-C-1.5 BOM31010868Contents About This ManualKey 1 + Key Format Description KeyBracket, e.g. Enter , Tab , Backspace , or a Key 1, KeySymbol Action DescriptionSecurity Configuration SC HuaweiConfiguration of IKE II. IKE featuresIKE Configuration Task List Creating IKE Security PolicySelect Encryption Algorithm Select Authentication AlgorithmNo IKE security policy is created by default Select DH Group ID Set Pre-shared KeySelect Hashing Algorithm Set Lifetime of IKE Association SA Show IKE SA parameter Quidway# show crypto ike saNetworking requirements Show IKE security policy Quidway# show crypto ike policyII. Networking diagram III. Configuration procedureProblem 1 Invalid user ID information VPN Configuration VPN Table of Contents VPN features VPN OverviewAccording to operation mode Classification of IP VPNII. According to the layer where the tunnel is III. According to service purposeIV. According to networking model Overview of Vpdn Configuration of L2TPBrief Introduction to L2TP Protocol Brief induction to VpdnTunnel and session 2 L2TP ProtocolIII. Method to realize Vpdn II. Control message and data message III. Two typical L2TP tunnel modesIV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel is shown in the followingFeatures of L2TP protocol Figure VPN-2-3Call setup flow of L2TP channelConfiguring at LAC Side Configuring L2TP1 L2TP Configuration Task List Disable Vpdn to run by default II. Create Vpdn groupIV. Set the connection request to originate L2TP channel Configuring at LNS SideDisable Vpdn running by default Table VPN-2-4L2TP attribute tableAccept dialin l2tp virtual-template virtual III. Create/delete virtual interface templateNo vpdn group group-number No accept dialinSet local name of channel Optional configurationIII. Force local end to perform Chap authentication IV. LNS forces LCP to renegotiate Local end does not perform Chap authentication by defaultLCP does not renegotiate by default Set domain name delimiter and search sequenceVII. Enable/disable hiding AV pairs Disable hiding AV pairs by defaultMonitoring and Maintenance of L2TP VIII. Force to disconnect tunnelNAS-Initialized VPN Typical Configuration of L2TPShow l2tp session command domain Networking requirementIII. Configuration procedure Figure VPN-2-5Networking diagram of Client-Initialized VPN Client-Initialized VPNSingle User Interconnects Headquarters via Router Chapter Fault Diagnosis of L2TP Brief introduction to the protocol Configuration of GREBrief Introduction to GRE Protocol II. Applicable range Figure VPN-3-2Format of transmission message in the tunnelConfiguring GRE GRE Configuration Task ListCreating Virtual Tunnel Interface Setting the Source Address of Tunnel InterfaceSetting the Destination Address of Tunnel Interface Setting the Identification Key Word of Tunnel Interface Setting the Network Address of Tunnel InterfaceSetting the Encapsulation Mode of Tunnel Interface Message Setting Tunnel Interface to Check with Check SumShow interface tunnel tunnel-number Monitoring and Maintenance of GREDisable tunnel interface to check with check sum by default Typical Configuration of GRE Figure VPN-3-6Networking diagram of GRE applicationChapter Troubleshooting GRE Reliability Configuration LC Configuration of Backup Center Configuration of HsrpConfiguring the Backup Center Configuration of Backup CenterBackup Center Overview Configuration Task ListBackup logic-channel logic-channel No backup delay Backup state-up interval-time Configuring Routes for Main and Backup InterfacesBackup state-down number An example of Backup Between Interfaces Monitoring and Maintaining of Backup CenterTypical Configuration of Backup Center An Example of Multiple Backup InterfacesChapter Chapter Configuration of Hsrp Hsrp OverviewConfiguring Hsrp Starting Hsrp FunctionSetting Hsrp Authorization Word Setting Router’s Priority in Hsrp Hot Standby GroupSetting Router’s Preemption Mode in Hsrp Standby Group Standby group-number preemptStandby group-numberauthentication string Setting Hsrp TimerTable LC-2-4Set Hsrp authorization word Monitoring the Specified InterfaceTable LC-2-6Monitor the specified interface Using Actual Interface MAC AddressModifying Virtual MAC Address Monitoring and Maintaining Hsrp Typical Configurations of HsrpAn example for single hot standby group configuration Show relevant Hsrp information Quidway# show standby202.38.160.111 An example for setting Hsrp to monitor a specified interface An example for multiple hot standby groups configuration Fault Diagnosis and Troubleshooting of Hsrp QoS Configuration QC Apply CAR Rules to Packets Which is Matched the ACL CAR Configuration ExampleConfigure CAR Rules Based on the MAC Address II.Integrated Service Three service types of QoSBest-effort Service QoS OverviewIII. Differentiated Service Functions of QoSChapter Traffic Classification and Policing II. CAR Committed Access RateTraffic Classification and Policing Introduction to Traffic ClassificationFeatures of Token Bucket Introduction to Traffic PolicingIII Complicacy Evaluation Introduction to CARII.Traffic Measuring with Token Bucket No CAR rule is specified by default CAR ConfigurationCAR Configuration Task List Specify CAR rulesApply the CAR Rule on the Interface Monitoring and Maintenance of CARTable QC-2-3Monitoring and maintenance of CAR Show CAR statistics Quidway# show car interface serialApplying CAR Rules to All Packets CAR Configuration ExampleII.Configuration RequirementsIII. Configuration Apply CAR Rules to Packets Which is Matched the ACLII.Networking diagram Configure CAR Rules Based on the Priority LevelConfigure CAR Rules Based on the MAC Address Chapter About Congestion Congestion ManagementCongestion and Congestion Management Congestion Management PolicyII. PQ Priority Queuing IV. WFQ Weighted Fair QueuingFifo Queuing III. CQ Custom QueuingSelecting Congestion Management Policy Working Principle of Congestion Management Policy No. Advantages Disadvantages QueueFifo III. CQ PQ Configuration task list Configuration of Congestion ManagementConfiguring PQ II. Configuring priority queue Priority-list list-number interface type number high medium Normal lowIII. Applying priority queue to the interface Table QC-3-7Configuration of queue length of priority queueInterface adopts Fifo queuing by default IV. Maintaining and monitoring the priority queueII. Configuring the custom queue Configuring CQCQ configuration task list Operation Command Configure the default custom queue No custom-list list-number interface type numberCustom-list list-number queue queue-number byte-count III. Applying custom queue to the interfaceNo custom-list list-number queue queue-number limit No custom-list list-number queue queue-number byte-countII. Configuring the weighted fair queue Configuring WFQWFQ configuration task list III. Maintenance and monitoring of the weighted fair queueCQ Configuration Example Configuration Example of Congestion ManagementPQ Configuration Example Figre QC-3-6Networking diagram of CQ Configuration Versatile Routing Platform Troubleshooting of Congestion Management DDR Configuration DC DDR in Which the Router Calls Back PC Configuring Synchronous/Asynchronous Serial Port Using DDRDDR Configuration Configuration of Modem Management Introduction to DDR Technology DDR ConfigurationBrief Introduction to Dial Configuration Preparing DDR Configuration Figure DC-1-1DDR configuration preparation flowConfiguration tasks of Legacy DDR include Configuring DDRConfiguring Legacy DDR II. Configure an interface to send callsDialer string dial-string isdn-address Dialer rotary-group number III. Configure an interface to receive calls Figure DC-1-2Schematic diagram of Dialer Rotary GroupIV. Configure an interface to send and receive calls Versatile Routing Platform DDR ConfigurationSet the attribute parameters of Legacy DDR Table DC-1-13Set the idle time of busy interface Access-list access-list-number deny permit Table DC-1-16Set access control of the dial interfaceAccess-list access-list-numberdeny permit Permit denyIntroduction to Dialer Profile Configuring Dialer ProfileDefault interval is 300 seconds IV. Set the attribute parameters of a dial interface II. Configuration task list of Dialer ProfileIII. Configure a logic dial interface Significance of callback Configuring CallbackBind physical interfaces for a dialer pool II. Terms and abbreviationsOr dialer caller remote-number IV. Configure Isdn calling line identification callbackDialer caller remote-number callback Interface dialerConfigure PPP callback User name callback-dialstring telephone-numberChapter Table DC-1-28Client end using Legacy DDR to configure PPP Configuring DDR Special Functions Configure Isdn dedicated lineAutodial interval is 300 seconds by default II. Configure autodialIII. Configure cyclic use of dialer map Name Meaning Monitoring and Maintenance of DDRTable DC-1-34Configure cyclic use of dialer map Network requirements DDR Typical Configuration ExampleLegacy DDR Chapter Dialer Profile Chapter Point-to-Point DDR Networking diagramII. Configuration procedure Chapter Chapter Point-to-Multipoint DDR 8810063Chapter Chapter 8810148 Multipoint-to-Multipoint DDR8810052 III. Configuration procedure Chapter Chapter Chapter Chapter DDR Bearing IPX Chapter Chapter Chapter DDR Bearing IP and IPX at the Same Time Chapter Chapter Chapter 2.2 Flow Control of Dialer Profile MP over Dialer Profile-CaseRouterA RouterB BRI0 661012Chapter Figure DC-1-11Networking diagram of DDR Case Channels for Dial-up and Connection to the Remote End CaseChapter Two Serial Ports for Dial-up and Remote Dial Connection Case One Serial Port for Dial-up and Remote Dial Connection Case Chapter DDR for Access Service Chapter Chapter Chapter Chapter DDR for Inter-Router Callback Chapter DDR in Which the Router Calls Back PC III. Configuration procedure DDR for Autodial DDR Using Dialer Map Cyclically DDR Using Dialer Map as Backup Solution 1 Logical interface as backup interfaceChapter Configuring Synchronous/Asynchronous Serial Port Using DDR Precautions for DDR ConfigurationConfiguring Dialer-group Configuring Network Layer Address Configuring PPP In Dialer Profile Configuration Mode Apply PAP authenticationChapter II. Apply Chap authentication Chapter Configuring PPP In Legacy DDR Configuration Mode Chapter II. Apply Chap authentication Chapter DDR Fault Diagnosis Troubleshooting DDRConfigure Dialer-list Whether modem is normalIII. Check whether dialer-group is configured IV. Check whether dialer-list is configured correctly Chapter DDR Fault Elimination Information displayed at the calling end Troubleshooting with DDR Debugging InformationHow to acquire DDR debugging information Information displayed at the call receiving end DDR link negotiation Down on interface Modem Script Configuration of Modem ManagementModem Management Functions Provided by VRP1.4 FunctionTimeout seconds Key words DescriptionConfiguring Modem Call-In and Call-Out Authorities Configuring Modem ManagementModem Management Configuration Task List Configuring Modem ScriptSpecifying the Event to Trigger Modem Script Configuring Modem Answer ModeExecuting Modem Script Manually Typical Configuration of Modem Management Managing Modem with Modem ScriptNetworking requirements Direct Dial with Script Configuration requirementsRouter Initialization with Initialization Script Interactively Connect Cisco Router Through Modem VoIP Configuration VC VoIP Configuration IP Fax ConfigurationIphc Configuration E1 Voice ConfigurationGK Client Configuration Versatile Routing Platform Table of Contents VoIP Configuration VoIP OverviewII. H.323 protocol stack VoIP PrincipleBasic composition IP Voice Implementation over VRP III. a typical telephone call processing by VoIPIP Voice Feature over VRP Switch Router Capacity channelChapter VoIP Configuration Task List Configuring Dial-peerPots dial-peer configuration II. VoIP dial-peer configurationConfiguring Dial Terminator Ip precedence priority-numberBy default, we do not configure the dial terminator Configuring Abbreviated DialingConfiguring Voice Port By default, we do not configure the abbreviated dialingTable VC-1-6Configuring voice-port By default, please use the shortest number match policy Configuring Global Number Match PolicyConfiguring the Recovery Method of Voice Board VoIP Monitoring and Maintenance By default, Watchdog is enabledKHT Rcvccactivecall Channel = Status = Chtransframe Typical VoIP Configuration Examples Configuring Router FXS Port for InterconnectionIII. Configuration procedures Shanghai Chapter Figure VC-1-7RouterShenzhen FXO works in the Plar mode LAN VoIP Troubleshooting III. Configuration descriptionTask List of IP Fax Configuration IP Fax ConfigurationConfiguring IP Fax Overview to IP FaxGateway does not use ECM mode by default Checking If Configuring Fax to Use ECM ModeConfiguring Fax Rate By default, the fax rate will be determined by voice mode Configuring Fax Train ModeConfiguring Fax Local-train Threshold Value Mode is local-train mode local by defaultNo fax protocol t38 ls-redundancy Configuring Gateway Carrier Transmit Energy LevelFax protocol t38 ls-redundancy number Fax protocol t38 hs-redundancy numberBy default, rtp protocol is used Monitoring and Maintenance of IP FaxBy default, T.38 protocol is used Typical Configuration of IP Fax Versatile Routing Platform IP Fax ConfigurationChapter Function of E1 Voice E1 Voice ConfigurationOverview of E1 Voice Configuration Usage of cE1/PRI InterfaceII. Protocols and standards supported Features of E1 VoiceSignaling modes supported III. Support single stage dialing and two-stage dialingConfiguring Pots dial-peer E1 Voice ConfigurationConfiguration Task List of E1 Voice IV. Integrated transmission of voice and dataIncoming called-number number Configuring VoIP dial-peerTable VC-3-1Configuration Commands of Pots dial-peer No incoming called-numberConfiguring the Basic Parameters of E1 Interface Table VC-3-2Configuration Commands of VoIP dial-peerConfiguring Voice Port E1 Interface Table VC-3-3Configuration Commands of E1 InterfaceTable VC-3-4Configuration Commands of E1 Voice Port Configuring E1 Voice R2 SignalingConfiguring DS0 group II. Configuring Related Parameters of R2 Signaling By default, the system has not created any DS0 groupTable VC-3-6Configuration Commands of R2 Signaling No pri-group Configuring the Basic Parameters of Isdn PRI InterfacePri-group timeslots timeslots-list Interface serial serial-noMaintaining the MFC Channel and Circuit of the Specified TS Monitoring and Maintenance of E1 VoiceConfiguring Voice Port Isdn PRI Interface II. show Command Related to E1 Voice Quidway# show voice-port III. debug Commands Related to E1 Voice R2 signalling call statisticsRouter Connected to PBX through E1 Voice Port Typical Configuration Examples of E1 VoiceTable VC-3-11debug Commands of E1 Voice Versatile Routing Platform Router Connected to PBX in Isdn PRI Mode Two-stage Dialing Configuration II. Netwoking diagram Parameter configuration of Beijing-side router Transmission of Data and Voice SimultaneouslyFault Diagnosis and Troubleshooting of E1 Voice Configuration Task List of GK Client GK Client ConfigurationConfiguration of GK Client Configuring One Interface as H.323 Gateway InterfaceBy default, GK Client function is deactivated Configuring Gateway AliasConfigure the GK Server Name and Address Activating or Deactivate GK Client FunctionBy default, there is not any tech-prefix Configuring Tech-PrefixConfiguring GK Interworking Mode Versatile Routing Platform GK Client Configuration Typical Configuration Examples of GK ClientBe default, the GK interworking mode is cisco mode Chapter Fault Diagnosis and Troubleshooting of GK Client Iphc Configuration Overview of IphcEnable/disable RTP header compression Iphc ConfigurationConfiguration Task List of Iphc No ip rtp compression-connectionsBy default, the udpchk field in UDP packet field is set to Configure the Cisco-compatible RTP header compressionConfigure the deleting of udpchk field from UDP header No ip tcp header-compressionMonitoring and Maintenance of Iphc Table VC-5-6Monitoring and Maintenance of IphcHow Are We Doing Excellent Good Fair PoorMistake Suggested Correction Line No
Related manuals
Manual 13 pages 6.76 Kb
Top Page Image Contents