Mettle Knowledge
Search:     Advanced search
Browse by category:
Contact Us
Mettle Knowledge / Mettle SE / IPsec VPN Troubleshooting

IPsec VPN Troubleshooting
Print
Email to friend
Add comment
Views: 1795
Votes: 0
Comments: 0
Posted: 17 Nov, 2008
by: Knowledge M.
Updated: 31 May, 2010
by: Knowledge M.
Troubleshooting IPsec VPN connection

1 ) Connect to the Internet and ping Mettle SE's WAN IP address to check the connectivity.

2 ) If you see nothing at all in the log when sending traffic, your client is not trying to bring up the tunnel. You probably have an installation problem.

3 ) If you see log messages like "Initiating IKE Phase 1" followed by "Re-transmitting", requests sent by your VPN client to your corporate gateway aren't getting through:

3.1 ) Double-check your client configuration to make sure it specifies the right "Identities" for you and your gateway. Identities are often an e-mail address for you, an IP address for your gateway -- but this varies, so use the settings appropriate for your company's VPN.

3 .2 ) Make sure you can ping Mettle SE. If you have a "UDP ping" tool, verify that UDP port 500 traffic gets to the gateway. If ping or UDP ping are not getting all the way through, ping intermediate hops, starting from your end, to figure out where UDP 500 is being blocked.

4 ) If you see log messages like "Initiating IKE Phase 1" followed by "Hash Payload is incorrect" and "Discarding IKE SA negotiation", your VPN client is failing authentication. Double-check your pre-shared key or digital certificate to make sure they match the settings in Mettle SE.

5 ) If you see log messages like "Initiating IKE Phase 1" followed by "No Proposal Chosen" and "Discarding IKE SA negotiation", your VPN client and Mettle SE have an IKE policy mismatch. Double-check your client security parameters (encryption and authentication algorithms) to make sure they match the settings of Mettle SE.

6 ) If you see log messages like "Established IKE SA", followed by "No Proposal Chosen" and "Discarding IPsec SA negotiation," this indicates an IPsec policy mismatch - see point # 5

7 ) If you see log messages like "Loading IPsec SA" or "IKE Phase 2 Completed," but still aren't able to communicate with your corporate server, then your tunnel is up but tunnelled packets are possibly being blocked, corrupted, or misrouted:

7.1 ) AH or ESP (protocols 50 or 51) may be blocked by a firewall between you and your corporate gateway.

7.2 ) Network/Port Address Translation (NAT/PAT) may be occurring somewhere in that path.

7.3 ) There may be a problem with routing, preventing response packets from tunnelling back to you.

If the VPN gateway isn't seeing incoming packets on your tunnel, you're probably stuck at 7.1. If your gateway is discarding incoming packets to your tunnel, you're probably encountering 7.2. Give your local ISP or DSL/cable provider a call to work out these problems. If the VPN gateway is seeing incoming but not outgoing packets through your tunnel, suspect 7.3 and tell your company's network administrator.

Actual text in your VPN log may be different from what mentioned in this Knowledge base article, but the meaning would be the same.
Also read
document Open VPN Troubleshooting
document PPTP VPN Troubleshooting
document Setting Up an IPSec VPN Client: Example Given Using Shrewsoft VPN Client

Others in this Category
document Initial Configuration: Setting up Mettle SE in a Local Area Network with Internet Connection.
document Default IP Address & Admin Password (And How To Change It?)
document Configuring DHCP Server
document Enabling The LAN Hosts To Use The Internet Connection (NATing)
document Adding A Second (Or More) Internet Connection To Mettle SE & Setting Up Failover/Load Balancing
document Monitoring The Internet Usage
document How To Turn On/Off The Content Filter & Gateway Antivirus Service
document Fine Tuning The Content Scanner
document Setting Up PPTP VPN accounts
document OpenVPN: Setting Up SSL-VPN accounts
document Setting Up IPsec VPN Accounts
document Deploying A Second LAN With Mettle SE.
document Choosing a VPN Technology
document Adding Firewall Rules
document Setting Up Mettle SE Stack for Active/Passive Fail-Over (CARP)
document Connecting & Securing a Leased Line Connection to Mettle SE
document Port Forwarding (PAT)
document Creating a DNS Entry/Record for the LAN
document Blocking GTalk in the LAN
document Blocking Yahoo! IM from the LAN
document OpenVPN: If VPN Clients Want to Access a Subnet other than "Local network"
document Setting up IPSec Tunnel
document Open VPN Troubleshooting
document PPTP VPN Troubleshooting
document NTP Client/Server
document Setting Up an IPSec VPN Client: Example Given Using Shrewsoft VPN Client
document Firewall: Alias
document Captive Portal
document Virtual IP Address
document OpenVPN: Setting Up a SSL-VPN Client in Windows
document Creating Tagged VLANs
document Cloning Firewall Rules
document Wake On LAN
document Inbound Loadbalancing
document OpenVPN: Setting up Certification Authority & Generating Certificates
document Changing default webGUI Port and Protocol
document Using Packet Capture
document Using Traceroute
document Package Updates
document OpenVPN: To make OpenVPN client use VPN as the Default Gateway
document OpenVPN: To exclude some Network from using VPN gateway when VPN is set as default gateway for VPN client
document Adding a Static DHCP Lease
document Schedule Based Firewall Rules
document RRD Graphs
document Server Load Balancing
document Firewall Logs
document Backup and Restore Mettle SE Running Configuration
document Event Logging To Remote Syslog Server
document Split DNS
document NAT Reflection/NAT Loopback
document Dynamic DNS


RSS
Powered by KBPublisher (Knowledge base software)