Home / Notes / IPSec Tunnel Troubleshooting
NOTES · IPSEC / VPN TROUBLESHOOTING

IPSec VPN Tunnel Won't Come Up? A Troubleshooting Flowchart and the Usual Root Causes

A tunnel that refuses to form, or comes up and still won't pass traffic, is one of the most common problems in site-to-site IPSec. This is the diagnostic order that finds the fault fastest — where to look at each stage, the display commands to run, and the root causes that account for most of these tickets.

By the AtlasCommTech engineering team — 13 years of carrier & enterprise network deployments · Updated July 2026

Why Guessing Costs More Than Reading the Tree

I keep coming back to the same short sequence of checks — not because IPSec is simple, but because the ways it breaks repeat.

An IPSec tunnel that won't come up, or comes up and still won't pass traffic, is one of the most common problems in site-to-site connectivity. The instinct is to start changing settings on both ends at once — but it's much faster to work through the negotiation stages in order: whether IKE negotiation is even triggered, whether phase 1 (the IKE SA) completes, whether phase 2 (the IPSec SA) completes, and only then whether the protected traffic itself is actually flowing.

What follows is the fault tree this is built on, the checks for each stage with the exact commands to run, the root causes that show up again and again once you're past the first few checks, and a handful of real FAQ answers pulled from actual field cases.

Read the Fault Tree Before You Touch Any Configuration

IPSec failures split into exactly two shapes: the tunnel never comes up, or it comes up and something's still wrong.

Placing the symptom on this tree first saves a lot of backtracking later — it tells you which of the sections below actually applies to what you're looking at.

IPSec Fault Tunnel Fails To Establish Tunnel Up, Something's Still Wrong Stage 0 · IKE negotiation never triggeredno traffic / trigger mode · route unreachable · ACL / NAT mismatch Stage 1 · IKE SA (phase 1) failspre-shared key / proposal / ID / NAT-T mismatch Stage 2 · IPSec SA (phase 2) failsACL not mirrored · proposal mismatch · PFS mismatch Restart: only one side re-negotiatesno DPD configured on either peer Traffic doesn't passroute · ACL mismatch · NAT interference · SHA-2 mismatch Quality is poor (slow / intermittent)fragmentation · CPU load · DPD flapping · path loss

Diagram labels are kept in English for engineering clarity.

IKE SA or IPSec SA negotiation failure is the core of most IPSec faults, and worth analyzing against the negotiation process directly. Almost everything else on this tree — an interface, a route, an ACL, a NAT rule — is a plain misconfiguration in a different feature that has to be chased down in its own context, not in the IPSec process itself.

Working Through Each Stage

Four stages, four different sets of things to look at — and the command that tells you which stage you're actually stuck in.

Stage 0 — Confirm IKE Negotiation Is Even Triggered

If display ike sa shows nothing at all, don't assume phase 1 failed — check whether negotiation was ever triggered in the first place.

  1. Check the SA trigger mode with display ipsec policy. The default is traffic-triggered, meaning negotiation only starts once real traffic tries to cross the tunnel — a Ping is enough. If you'd rather not depend on traffic showing up first, set sa trigger-mode auto instead.
  2. Check display ipsec statistics. If outbound ok is 0 (or trigger ok is 0 under traffic-triggered mode), no IKE packet has actually left this router yet — that's stage 0, not a phase-1 failure.
  3. Ping to confirm both the private-network route and the public-network route are actually reachable.
  4. Check display ipsec interface brief to confirm the IPSec policy is genuinely applied to the tunnel-facing interface, not just configured somewhere.
  5. Check display ipsec policy for the Security ACL number, then display acl acl-number to confirm that ACL actually matches the real traffic you're trying to protect — and that no NAT rule on the same interface is intercepting it first.
<Huawei> display ipsec policy
===========================================
IPSec policy group: "10"
Using interface: GigabitEthernet1/0/0
===========================================
       Sequence number: 10
       Security data flow: 3100/IPv4
       SA trigger mode: Traffic-based            // default trigger mode

<Huawei> display ipsec statistics
   negotiate about packet statistics:
     IKE ctrl packet inbound ok: 0, outbound ok: 0
     trigger ok: 0, switch sa: 0, sync sa: 0
// outbound ok = 0 -> no IKE packet has left this router yet

<Huawei> display ipsec interface brief
------------------------------------------------
  IPSec policy       : policy1
  Using interface      : GigabitEthernet1/0/0
------------------------------------------------

<Huawei> display acl 3100
Advanced ACL 3100, 1 rule
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 (0 times matched)

Stage 1 — IKE SA (Phase 1) Negotiation

Three different counter combinations on display ipsec statistics point to three different places to look — worth checking before anything else.

  1. Compare display ipsec statistics on both ends. If the initiator's outbound ok is non-zero but the responder's inbound stays 0, the responder never received anything — check the carrier path for UDP 500/4500 filtering, route reachability, or a wrong remote-address on the initiator. If the responder received it but its own outbound stays 0, the IPSec policy likely isn't applied on the responder's interface, or its remote-address doesn't match. If both ends show inbound and outbound moving but the initiator never gets a reply, check for a one-way route problem.
  2. Check display ike peer on both ends — remote IP/domain, IKE version, exchange mode, local/remote ID, SM4 version. All of them have to match, not just be individually valid.
  3. Check display ike proposal on both ends — authentication method, authentication algorithm, encryption algorithm, DH group, PRF algorithm. A mismatch on any one of these is enough to fail phase 1.
  4. If a NAT device sits between the two peers, confirm NAT traversal is enabled on both ends, and that any IP-based peer authentication is pointed at the pre-NAT address via remote-address authentication-address.
<Router1> display ipsec statistics
   negotiate about packet statistics:
     IKE ctrl packet inbound ok: 0, outbound ok: 4
// outbound ok not 0 but the peer's inbound stays 0 -> peer never received it

<Router> display ike peer name 1
------------------------------------------
  Remote IP           : 1.1.1.1(www.huawei.com)
  IKE version          : v1
  Exchange mode          : main on phase 1
  Local ID type         : IP
  Remote ID type         : any
  NAT-traversal          : Enable

<Router> display ike proposal number 10
-------------------------------------------
 Authentication Method    : PRE_SHARED
 Authentication Algorithm : SHA2-256
 Encryption Algorithm     : AES-256
 Diffie-Hellman Group     : MODP-2048
 Prf Algorithm            : HMAC-SHA2-256
-------------------------------------------

Stage 2 — IPSec SA (Phase 2) Negotiation

Phase 1 succeeds, display ike sa shows an established SA, but there's still no IPSec SA — this is almost always the ACL or the proposal.

  1. Check that both ends' Security ACLs mirror each other — one side's source/destination should be the other side's destination/source. Non-mirrored ACLs only negotiate successfully if the initiator's range is a subset of the responder's.
  2. Check display ipsec proposal on both ends — security protocol (AH/ESP), encapsulation mode, encryption algorithm, authentication algorithm.
  3. Check display ipsec policy brief for the negotiation mode, and confirm the PFS DH group matches on both ends if PFS is configured on either side.
<Huawei> display acl 3100
Advanced ACL 3100, 1 rule
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
// the peer's rule should mirror this: source 10.1.1.0/24 destination 10.1.2.0/24

<Huawei> display ipsec proposal
IPSec proposal name: p1
 Encapsulation mode: Tunnel
 Transform          : ah-esp-new
 ESP protocol       : Authentication SHA2-HMAC-256
                       Encryption AES-256

<Huawei> display ipsec policy brief
Policy name         Mode      ACL         Peer name
policy1-100         isakmp    3002/IPv4   peer1
// Perfect forward secrecy: DH group 14 -- must match on both ends if configured

Stage 3 — Tunnel Is Up, Traffic Still Won't Pass

display ipsec sa shows an established SA on both ends — that confirms the tunnel exists, not that traffic is using it.

  1. Check display ipsec sa's Flow source / Flow destination against the real business subnets — a tunnel can be up while protecting the wrong traffic entirely.
  2. Ping from an actual host, not just the gateway, to rule out a host-to-gateway route problem; in multi-egress designs also check whether policy-based routing is quietly sending the traffic somewhere other than the tunnel.
  3. Check whether a NAT rule on the same interface is processing the traffic before IPSec gets to it — NAT runs first in the forwarding order, so it can silently swallow traffic meant for the tunnel.
  4. If there's a NAT device in the path, confirm NAT traversal is enabled on both ends, and that the security protocol is ESP, not AH — AH doesn't survive NAT-T.
  5. If the proposal's authentication algorithm is a SHA-2 variant, check display ipsec statistics for authentication-failure drops; if you see them, enable ipsec authentication sha2 compatible enable.
<Huawei> display ipsec sa
-----------------------------
  Flow source          : 10.1.0.0/255.255.0.0 0/0
  Flow destination      : 10.2.0.0/255.255.0.0 0/0
// compare this against the real business subnets, not just "tunnel is up"

<Huawei> display ike peer
  NAT-traversal        : Enable

<Huawei> display ipsec proposal
 Transform            : esp-new           // must be ESP, not AH, when NAT-T is in play

<Huawei> display ipsec statistics
  dropped security packet detail:
     authentication: 33, replay: 0
// non-zero authentication drops with SHA-2 in the proposal -> compat mode needed
[Huawei] ipsec authentication sha2 compatible enable

6 Root Causes That Show Up Again and Again

Once the four stages above have told you where the problem sits, these six account for most of what's actually wrong.

1. Pre-Shared Key Doesn't Actually Match

SYMPTOMIKE SA never forms — display ike sa stays empty or shows the connection stuck negotiating, and this is the only phase-1 parameter that still looks unconfirmed.

CAUSEWith pre-shared key authentication, both ends' keys have to be identical, character for character. Because the configured key is stored and displayed in cipher form, a typo on either end isn't something you can catch by reading the running configuration back — the two ends can each look "configured" and still not match.

FIXRe-enter the same plaintext key on both ends deliberately, rather than trusting that a previously copied value is still correct on both sides.

[Router] ike peer huawei
[Router-ike-peer-huawei] pre-shared-key cipher <same-key-on-both-ends>

2. IKE Proposal Parameters Don't Line Up

SYMPTOMdisplay ike error-info reports phase1 proposal mismatch.

CAUSEIn one real case on this exact fault code, one router's IKE proposal used AES-128 while the peer (a different vendor's device) used AES-256 — a single differing parameter is enough to fail the whole phase-1 negotiation.

FIXCompare display ike proposal side by side; when the peer is a different vendor and you can't get its configuration directly, debugging ikev1 all (or debugging ikev2 all) on your own router shows you the proposal attributes the other side actually sent.

<AR1> display ike error-info
 peer      port  error-reason               version  error-time
 2.1.1.1   500   phase1 proposal mismatch   v1       2017-09-05 15:22:32

// debugging ikev1 all on AR1 showed what the peer actually sent:
Attribute ENCRYPTION_ALGORITHM value AES_CBC
Attribute KEY_LENGTH value 256
Attribute HASH_ALGORITHM value SHA2-256
Attribute AUTHENTICATION_METHOD value PRE_SHARED
Attribute GROUP_DESCRIPTION value MODP_2048
// AR1 was configured for AES-128; the peer proposed AES-256 -- align the two
[AR1] ike proposal 10
[AR1-ike-proposal-10] encryption-algorithm aes-256

3. Security ACLs Aren't Mirrored — or They Overlap

SYMPTOMIPSec SA fails to negotiate at all, or — in a hub with several branches — only one branch's traffic won't pass while the others are fine.

CAUSEThe two ends' ACLs should be mirror images of each other (source and destination swapped); when they're not, negotiation only succeeds if the initiator's range is a subset of the responder's. Separately, when a hub has several branch tunnels, overlapping address ranges across different ACLs in the same policy group cause one branch's traffic to be silently claimed by another branch's tunnel.

FIXMirror the ACL source/destination on both ends, and make sure no two ACLs referenced by the same IPSec policy group have overlapping rule ranges.

4. NAT Runs First and Steals the Traffic, or NAT Traversal Isn't On

SYMPTOMTunnel shows established on both ends, but the outbound encapsulation counter never moves — no encrypted packets are actually being sent.

CAUSEOn a router that's also doing NAT, NAT is applied before IPSec in the forwarding order. If the NAT ACL still matches the traffic meant for the tunnel, that traffic gets translated and routed out to the internet instead of into the tunnel — no error, no log, nothing to look for except a stuck packet counter. Separately, when there's a NAT device between the two peers, both ends need NAT traversal explicitly enabled, and the security protocol has to be ESP — AH doesn't survive address translation.

FIXAdd a deny rule for the tunnel's protected addresses at the top of the NAT ACL so that traffic never gets translated in the first place; enable nat traversal on both IKE peers when a NAT device sits in the path; and use ESP, not AH, whenever NAT-T is involved.

acl number 3300
 rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 10 permit ip
[Router-ike-peer-huawei] nat traversal

5. DPD Falsely Declares the Peer Dead

SYMPTOMThe tunnel isn't down for any obvious reason, but it flaps — drops and rebuilds — even though the link and both routers are fine.

CAUSEDead Peer Detection has to agree on the payload sequence used in its own keepalive packets. When the two ends' DPD message order doesn't match, DPD silently fails to confirm the peer is alive, and the tunnel gets torn down and rebuilt on a false alarm.

FIXConfigure identical DPD parameters on both ends — message sequence, detection mode, idle time, retransmit interval, retry limit.

[Router-ike-peer-huawei] dpd msg seq-hash-notify
[Router-ike-peer-huawei] dpd type periodic
[Router-ike-peer-huawei] dpd idle-time 20
[Router-ike-peer-huawei] dpd retransmit-interval 10
[Router-ike-peer-huawei] dpd retry-limit 4

6. SA Lifetime Isn't the Same on Both Ends

SYMPTOMLogs show repeated phase1 hard expiry or phase2 hard expiry events, and the tunnel seems to renegotiate more often — or less symmetrically — than you'd expect.

CAUSEThe IKE SA and IPSec SA both carry a configured lifetime (sa duration, or the global ipsec sa global-duration). If the two ends aren't configured with the same value, one side ages its SA out and starts renegotiating while the other is still holding the old one, which shows up as unnecessary churn rather than a clean, simultaneous renewal.

FIXCompare the SA Duration field from display ike proposal and the equivalent IPSec SA duration on both ends, and set them equal with sa duration or ipsec sa global-duration.

<sysname> display ike proposal number 10
 SA Duration(Seconds)   : 86400
<sysname> display ipsec global config
  IPSec sa global-duration time-based(seconds) : 3600

Related solution designs

Five Questions That Come Up Constantly

Pulled straight from the field — the ones worth having an answer ready for.

What's actually different between AH and ESP?

AH (Authentication Header) gives you data-origin authentication, integrity checking and anti-replay, but it doesn't encrypt the payload at all — it's for traffic where confidentiality doesn't matter but tampering does. ESP (Encapsulating Security Payload) does everything AH does, plus it can encrypt the payload, and can be configured for encryption only, authentication only, or both. The two can be combined on the same tunnel; when they are, ESP is applied first, then AH, for extra assurance.

display ipsec sa shows nothing at all — where do I even start?

Ping to confirm public-network reachability first. If the tunnel is IKE-negotiated, check display ike sa — if phase 1 hasn't even established, that's your answer. If phase 1 looks fine, wait roughly ten seconds and check again; SA installation isn't always instant. Then confirm the interface carrying the IPSec policy is actually Up, and only then start reviewing the IPSec configuration itself.

My branch has a dynamic public IP and headquarters has a fixed one — can I still build an IPSec tunnel?

Yes. The fixed-IP end configures a policy-template-based IPSec policy that doesn't require knowing the peer's address in advance, and its IKE peer entry simply omits remote-address. The dynamic-IP end configures normally, pointing remote-address at the fixed peer. Whichever end has the unpredictable address has to be the one that initiates.

A tunnel refuses to establish at all until I restart it — why?

This usually means a new branch is trying to protect traffic that overlaps with a data flow an existing tunnel at the hub is already protecting. The conflict blocks the new negotiation outright, and only clears once the old tunnel is torn down — which a restart forces. ipsec remote traffic-identical accept lets a new peer with an identical protected-flow definition take over quickly, aging out the old SA instead of being blocked by it.

The tunnel is up, but access is slow or keeps cutting in and out — what's actually going on?

Four usual suspects: CPU load from other features (attack-defense, other SAs) running alongside IPSec; a DPD payload-order mismatch causing the tunnel to flap on false dead-peer alarms; ordinary internet path loss upstream of the tunnel; and IP fragmentation — IPSec's own encapsulation overhead pushes packets over the path MTU, and both fragmenting and reassembling encrypted traffic cost CPU that a busy router doesn't always have to spare. Testing with different ping sizes to find the breakpoint, then adjusting the interface MTU and tcp adjust-mss, is the standard fix for the last one.

Honest Limits of This Note

Honest Limits of This Note

This note is built around the Huawei AR-series router's IPSec fault-classification model and its display ike sa / ipsec sa / ipsec statistics commands, plus the field cases behind them. If your gateway is a different vendor, the exact commands change, but the underlying negotiation logic — trigger, phase 1, phase 2, ACL matching, NAT interaction, DPD, SA lifetime — carries over directly. It doesn't cover IKEv2-specific edge cases like EAP or digital-envelope authentication in depth, or SD-WAN overlay scenarios.

Stuck on a specific tunnel?

Tell us which stage it's stuck at — phase 1, phase 2, or up-but-not-passing-traffic — plus the display ike sa / display ipsec sa output, and we'll help you read it.

WhatsApp an engineer →

Related Reading