Troubleshooting With Ikesnoop - D-Link NetDefend DFL-210 User Manual

Network security firewall ver 2.26.01
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

9.4.5. Troubleshooting with ikesnoop

This example shows how to manually setup and specify an LDAP server.
Command-Line Interface
gw-world:/> add LDAPServer Host=192.168.101.146 Username=myusername
Web Interface
1.
Go to Objects > VPN Objects > LDAP > Add > LDAP Server
2.
Now enter:
IP Address: 192.168.101.146
Username: myusername
Password: mypassword
Confirm Password: mypassword
Port: 389
3.
Click OK
9.4.5. Troubleshooting with ikesnoop
VPN Tunnel Negotiation
When setting up IPsec tunnels, problems can arise because the initial negotiation fails when the
devices at either end of a VPN tunnel try but fail to agree on which protocols and encryption
methods will be used. The ikesnoop console command with the verbose option is a tool that can be
used to identify the source of such problems by showing the details of this negotiation.
Using ikesnoop
The ikesnoop command can be entered via a CLI console or directly via the RS232 Console.
To begin monitoring the full command is:
gw-world:/> ikesnoop -on -verbose
This means that ikesnoop output will be sent to the console for every VPN tunnel IKE negotiation.
The output can be overwhelming so to limit the output to a single IP address, for example the IP
address 10.1.1.10, the command would be:
gw-world:/> ikesnoop -on 10.1.1.10 -verbose
The IP address used is the IP address of the VPN tunnel's remote endpoint (either the IP of the
remote endpoint or the client IP). To turn off monitoring, the command is:
gw-world:/> ikesnoop -off
The output from verbose option can be troublesome to interpret by an administrator seeing it for the
first time. Presented below is some typical ikesnoop output with annotations to explain it. The tunnel
negotiation considered is based on Pre-shared Keys. A negotiation based on certificates is not
discussed here but the principles are similar.
Password=mypassword Port=389
372
Chapter 9. VPN

Advertisement

Table of Contents
loading

Table of Contents