Hi Michael,
Thanks for your clarification. I'm much clearer about the problems now.
> > When you find out that the IKEv2 negotiation succeeds but ESP
> > traffic can't get through, what more information will you get
> > from sending the ESPping and not receiving a response?
>
> That there is a problem with proto=50... So:
> a) do UDP encap (maybe by manual config, if you are clueful)
> b) call network support and file a problem report.
I mean, when you find out that the IKEv2 negotiation succeeds but ESP traffic
can't get through, you can already guess there may be a problem with ESP packet.
If you want to use ESPping to determine the problem is really because of the
on-path firewalls or routers discard the ESP packets, you need to make sure the
IPsec peer also supports the ESPping.
If you want to do the traceroute to determine how far ESP actually gets, you
need to make sure every node supports the ESPping.
Regards & Thanks!
Wei PAN (潘伟)
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
