Failure to establish an IPsec tunnel
Symptom
The expected IPsec tunnel cannot be established.
Analysis
Sometimes this may happen that an IPsec tunnel cannot be established or there is no way to communicate in the presence of an IPsec tunnel in an unstable network. According to examination results, however, ACLs of both parties are configured correctly, and IKE proposals are also matched.
In this case, the problem is usually caused by the reboot of one router after the IPsec tunnel is established.
Solution
Use the display ike sa command to check whether both parties have established an SA in phase 1.
Use the display ipsec sa policy command to check whether the IPsec policy on the interface has established IPsec SA.
If the two commands show that one party has an SA but the other does not, use the reset ipsec sa command to clear the IPsec SA that has no corresponding SA, use the reset ike sa command to clear the IKE SA that has no corresponding IKE SA, and trigger SA re-negotiation.