![]() ![]() If no destination address is configured on the local tunnel interface, enable the local device to use the remote address configured in the IKE peer view to initiate negotiation. If IPSec negotiation is performed based on tunnel interfaces, view the destination address configured on the local tunnel interface and the remote address configured in the IKE peer view.If not, run the remote-address command in the IKE peer view to change the remote address.By default, the device uses the primary IP address of an interface as the local address. View the Remote IP field and the remote device's local address. Run the display ike peer command to check whether IKE peer addresses on both ends match.If not, run the rule command in the ACL view to change security ACL rules.Run the display ipsec policy command to view security ACLs on both ends and then run the display acl command to check whether security ACL rules on both ends match.Collect required information and contact technical support personnel.When the remote certificate is validated based on CRL, run the display pki crl command to check whether the CRL has expired.If not, import the remote CA certificate.Run the display pki certificate command to check the local certificate and CA certificate and check whether the two certificates can form a complete certificate chain based on the issuer of the local certificate and subject of the CA certificate.If so, apply for a new remote certificate.Run the display pki certificate command to check whether the remote certificate has expired.If not, run the clock datetime command in the user view to change the system time of the two IKE peers to be consistent.Run the display clock command to check whether the system time of the two IKE peers is consistent.If the authentication modes are consistent and are RSA-SIGNATURE or DIGITAL-ENVELOPE, go to step 2.If the authentication modes are consistent and are PRE_SHARED, run the pre-shared-key command in the IKE peer view to change the pre-shared keys of the two IKE peers to be consistent.If the authentication modes are inconsistent, run the authentication-method command to change the authentication modes to be consistent.Run the display ike proposal command to check whether the authentication modes of the two IKE peers are consistent. ![]()
0 Comments
Leave a Reply. |