D-Link NetDefend DFL-210 User Manual page 400

9.7.6. Specific Symptoms
problem even though XAuth is not used.
1. The tunnel can only be initiated from one side
This is a common problem and is due to a mismatch of the size in local or remote network and/or
the lifetime settings on the proposal list(s).
To troubleshoot this you need to examine the settings for the local network, remote network, IKE
proposal list and IPsec proposal list on both sides to try to identify a miss-match.
For example, suppose we have the following IPsec settings at either end of a tunnel:
• Side A
Local Network = 192.168.10.0/24
Remote Network = 10.10.10.0/24
• Side B
Local Network = 10.10.10.0/24
Remote Network = 192.168.10.0/16
In this scenario you will see that the defined remote network on Side B is larger than that defined
for Side A's local network. This means that Side A can only initiate the tunnel successfully towards
Site B as its network is smaller. When Side B tries to initiate the tunnel, Side A will reject it
because the network is bigger than what is defined. The reason it works the other way around is
because a smaller network is considered more secure and will be accepted. This also applies to the
lifetimes in the proposal lists.
2. Unable to set up with config mode and getting a spurious XAuth message
The reason for this message is basically "No proposal chosen". The case where this will appear is
when there is something that fails in terms of network size on either local network or remote
network. Since NetDefendOS has determined that it is a type of network size problem, it will try one
last attempt to get the correct network by sending a config mode request.
By using ikesnoop when both sides initiate the tunnel, you should easily be able to compare the
network that both sides are sending in phase-2. With that information you should be able to spot the
network problem. It can be that it's a network size mismatch or that it doesn't match at all.
400
Chapter 9. VPN