Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
N o t e
10-76
However, if the tunnel opens, then you know that you have a problem with
the ACL. Enter:
Syntax: show ip access-list <listname>
Review the ACL, looking for miskeyed entries or problems with the wildcard
bits. Remember that for a client-to-site VPN, the destination should be the
network in the IKE client configuration pool. See Chapter 5: Applying Access
Control to Router Interfaces for more information on how to correctly con-
figure an extended ACL.
To change an ACL entry, first enter the no form of the faulty entry to remove
it from the list. Then enter the correct entry. Do not simply enter the correct
entry without removing the incorrect one. The router processes ACLs in the
order in which you enter the commands, so the faulty entry may continue to
cause problems unless entirely removed.
Monitoring the IKE Process using Debug Commands
To monitor the IKE process, enter:
ProCurve# debug crypto ike
You should deactivate any active debug messages (enter undebug all) before
activating the IKE messages.
You will receive a great many debug messages from IKE as it attempts three
times to establish a connection. Look at the final messages first as these will
give you a clue to the source of the problem. (Table 10-24 gives some examples
of messages that appear due to common problems with the VPN.)