HP 7102dl - ProCurve Secure Router Configuration Manual page 572

Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
10-78
2. IKE phase 2 (quick mode)
a. proposes (or accepts) security parameters including:
i. a hash algorithm (optional for ESP)
ii. an encryption algorithm (optional for AH)
iii. an IPSec SA lifetime
b. generates keys
c. establishes the IPSec SA
When you scan debug messages for clues to the source of a problem, pay
particular attention to messages that indicate the step that IKE is performing.
You can then determine what settings you need to modify. You will learn more
about specific problems and debug messages in the following pages.
IKE phase 2 problems are nearly always caused by incompatible security
proposals for the IPSec SA. IKE phase 1, on the other hand, involves more
steps and can go wrong in various ways. If you determine that problems begin
in IKE phase 1, you should then zero in on the message that fails. Look for the
message that IKE sends over and over. (See Table 10-25.)
Table 10-25. IKE Debug Messages
Message That Repeats
main mode message 1
main mode message 5
aggressive mode message 1
aggressive mode message 3
quick mode message 1
Incompatible Security Parameters. When you receive the
NO_PROPOSAL_CHOSEN message, you need to determine which proposal
was incompatible: the proposal sent during IKE phase 1 for the IKE SA or the
proposal sent during IKE phase 2 for the IPSec SA.
A quick way to determine which phase failed is to enter:
ProCurve# show crypto ike sa
Possible Problem
incompatible IKE modes or
security parameters
invalid authentication
information
incompatible IKE modes or
security parameters
invalid authentication
information
incompatible IPSec security
parameters
Best Next Step
Compare IKE attribute policy
with the peer's settings.
Double-check preshared
keys and certificates.
Compare IKE attribute policy
with peer's settings.
Double-check preshared
keys and certificates.
Compare crypto map entry
and transform set settings
with the peer's settings.