Management Interface Failure With Vpn; Specific Error Messages - D-Link DFL-1660 User Manual
Network security firewall
Hide thumbs
Also See for DFL-1660:
- User manual (483 pages) ,
- Installation manual (45 pages) ,
- Reference manual (948 pages)
Table of Contents
Advertisement
9.8.4. Management Interface Failure
with VPN
The ikesnoop console command
A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to the
device at the other end of the tunnel. The ikesnoop command is a useful tool for diagnosing
incompatible algorithm proposal lists by showing the details of negotiations during tunnel setup.
The basic form of this command is:
gw-world:/> ikesnoop -on -verbose
Once issued, an ICMP ping can then be sent to the NetDefend Firewall from the remote end of the
tunnel. This will cause ikesnoop to output details of the tunnel setup negotiation to the console and
any algorithm proposal list incompatibilities can be seen.
If there are multiple tunnels in a setup or multiple clients on a single tunnel then the output from
verbose option can be overwhelming. It is therefore better to specify that the output comes from a
single tunnel by specifying the IP address of the tunnel's endpoint (this is either the IP of the remote
endpoint or a client's IP address). The command takes the form:
gw-world:/> ikesnoop -on <ip-address> -verbose
Ikesnoop can be turned off with the command:
gw-world:/> ikesnoop -off
For a more detailed discussion of this topic, see Section 9.4.5, "Troubleshooting with ikesnoop".
9.8.4. Management Interface Failure with VPN
If any VPN tunnel is set up and then the management interface no longer operates then it is likely to
be a problem with the management traffic being routed back through the VPN tunnel instead of the
correct interface.
This happens when a route is established in the main routing table which routes any traffic for
all-nets through the VPN tunnel. If the management interface is not reached by the VPN tunnel then
the administrator needs to create a specific route that routes management interface traffic leaving the
NetDefend Firewall back to the management sub-network.
When any VPN tunnel is defined, an all-nets route is automatically defined in the routing table so
the administrator should always set up a specific route for the management interface to be correctly
routed.
9.8.5. Specific Error Messages
This section will deal with specific error messages that can appear with VPN and what they indicate.
The messages discussed are:
1. Could not find acceptable proposal / no proposal chosen.
gw-world:/> ipsecstat -num=all
Another example of what to avoid with many tunnels is:
gw-world:/> ipsectunnels -num=all
In these circumstances, using the option with a small number, for example -num=10,
is recommended.
485
Chapter 9. VPN
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
