Specific Symptoms - D-Link DFL-260E User Manual
Network security firewall netdefendos version 2.27.03
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (589 pages)
Table of Contents
Advertisement
9.7.6. Specific Symptoms
•
If multiple similar or roaming tunnels exist and there is a need to separate them using ID lists, a
possible cause can be that none of the ID lists match the certificate properties of the connecting
user. Either the user is not authorized or the certificate properties are wrong on the client or the
ID list needs to be updated with this user/information.
•
With L2TP, the client certificate is imported into the wrong certificate store on the Windows
client. When the client connects, it is using the wrong certificate.
9.7.6. Specific Symptoms
There are two specific symptoms that will be discussed in this section:
1. The tunnel can only be initiated from one side.
2. The tunnel is unable to be set up and the ikesnoop command reports a config mode XAuth
problem even though XAuth is not used.
1. The tunnel can only be initiated from one side
This is a common problem and is due to a mismatch of the size in local or remote network and/or
the lifetime settings on the proposal list(s).
To troubleshoot this it is necessary to examine the settings for the local network, remote network,
IKE proposal list and IPsec proposal list on both sides to try to identify a miss-match.
For example, suppose the following IPsec settings are at either end of a tunnel:
•
Side A
Local Network = 192.168.10.0/24
Remote Network = 10.10.10.0/24
•
Side B
Local Network = 10.10.10.0/24
Remote Network = 192.168.10.0/16
In this scenario, it can be seen that the defined remote network on Side B is larger than that defined
for Side A's local network. This means that Side A can only initiate the tunnel successfully towards
Site B as its network is smaller.
When Side B tries to initiate the tunnel, Side A will reject it because the network is bigger than
what is defined. The reason it works the other way around is because a smaller network is
considered more secure and will be accepted. This principle also applies to the lifetimes in the
proposal lists.
2. Unable to set up with config mode and getting a spurious XAuth message
The reason for this message is basically "No proposal chosen". The case where this will appear is
when there is something that fails in terms of network size on either local network or remote
network. Since NetDefendOS has determined that it is a type of network size problem, it will try one
last attempt to get the correct network by sending a config mode request.
Note: L2TP with Microsoft Vista
With L2TP, Microsoft Vista tries by default to contact and download the CRL list,
while Microsoft XP does not. This can be turned off in Vista.
448
Chapter 9. VPN
- Quick Links:
- The Web Interface
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
