Vpn Troubleshooting; General Troubleshooting - D-Link NetDefendOS User Manual

9.8. VPN Troubleshooting

This section deals with how to troubleshoot the common problems that are found with VPN.

9.8.1. General Troubleshooting

In all types of VPNs some basic troubleshooting checks can be made:
• Check that all IP addresses have been specified correctly.
• Check that all pre-shared keys and usernames/passwords are correctly entered.
• Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by
Pinging the internal IP address of the local network interface on the NetDefend Firewall from
a client (in LAN-to-LAN setups, pinging could be done in either direction). If NetDefendOS is
to respond to a Ping then the following rule must exist in the IP rule set:
Action
Allow
• Ensure that another IPsec Tunnel definition is not preventing the correct definition being
reached. The tunnel list is scanned from top to bottom by NetDefendOS and a tunnel in a
higher position with the Remote Network set to all-nets and the Remote Endpoint set to
none could prevent the correct tunnel being reached. A symptom of this is often an Incorrect
Pre-shared Key message.
• Try and avoid duplication of IP addresses between the remote network being accessed by a
client and the internal network to which a roaming client belongs.
If a roaming client becomes temporarily part of a network such as a Wi-Fi network at an
airport, the client will get an IP address from the Wi-Fi network's DHCP server. If that IP also
belongs to the network behind the NetDefend Firewall accessible through a tunnel, then
Windows will still continue to assume that the IP address is to be found on the client's local
network. Windows therefore will not correctly route packets bound for the remote network
through the tunnel but instead route them to the local network.
The solution to this problem of local/remote IP address duplication is to create a new route in
the client's Windows routing table that explicitly routes the IP address to the tunnel.
• If roaming client user authentication is not asking the users for their username/password
then ensure that the following advanced settings are enabled:
• IPsec Before Rules for pure IPsec roaming clients.
• L2TP Before Rules for L2TP roaming clients.
• PPTP Before Rules for PPTP roaming clients.
These settings should be enabled by default and they ensure that user authentication traffic
between NetDefendOS and the client can bypass the IP rule set. If the appropriate setting is
not enabled then an explicit rule needs to be added to the IP rule set to allow the
authentication traffic to pass between roaming clients and NetDefendOS. This rule will have a
destination interface of core (which means NetDefendOS itself ).
• If the remote endpoint is specified as a URL, make sure that the URL string is preceded by the
prefix dns:. If, for example, the tunnel remote endpoint is to be specified as vpn.example.com,
this should be specified as dns:vpn.example.com.
Src Interface Src Network
vpn_tunnel all-nets
Dest Interface
core
762
Chapter 9: VPN
Dest Network Service
all-nets ICMP