Ike Fault Diagnosis And Troubleshooting - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
[RouterB-Atm1/0/0] pvc 0/100
[RouterB-atm-pvc-Atm1/0/0-0/100] map bridge Virtual-Ethernet0
[RouterB-atm-pvc-Atm1/0/0-0/100] quit
# Create and configure the VE interface.
[RouterB] interface virtual-ethernet0
[RouterB-Virtual-Ethernet0] pppoe-client dial-bundle-number 1
[RouterB-Virtual-Ethernet0] mac-address 0011-0022-0012

8.5 IKE Fault Diagnosis and Troubleshooting

When configuring parameters to establish IPSec security channel, you can enable the
Error debugging of IKE to help us find configuration problems. The command is as
follows:
<3Com> debugging ike error
Symptom 1: Invalid user ID information
Troubleshooting: User ID is the data that the user initiating the IPSec communication
uses to identify itself. In actual applications, you can make use of user ID to set up
different security channels for various types of data traffic for the sake of protection. In
the implementation of 3Com Corporation, a user is so far identified by its IP address.
Following is the debugging information you may view on the screen:
got NOTIFY of type INVALID_ID_INFORMATION
Or
drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION
Check whether the ACLs of the IPSec policies configured on the interfaces at both
ends of the negotiation are compatible. The user is recommended to configure the
ACLs to mirror each other. For more information about ACL mirror, refer to Section
Configure ACL in IPSec Configuration.
Symptom 2: Proposal mismatch
Troubleshooting:
Following is the debugging information you may view on the screen:
got NOTIFY of type NO_PROPOSAL_CHOSEN
Or
drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN
The two parties of the negotiation have no matched proposal. For the negotiation at
stage 1, you can look up the IKE proposals for a match. For the negotiation at stage 2,
you can check whether the parameters of the IPSec polices applied on the interfaces
are matched, and whether the referenced IPSec proposals have a match in protocol,
encryption and authentication algorithms.
3Com Corporation
8-21
Chapter 8 IKE Configuration