Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
N o t e
8-76
Syntax: show ip access-list <listname>
Review the ACL, looking for miskeyed entries or problems with the wildcard
bits. Remember that for a client-to-site VPN, the destination should be the
network in the IKE client configuration pool. See Chapter 5: Applying Access
Control to Router Interfaces for more information on how to correctly con-
figure an extended ACL.
To change an ACL entry, first enter the no form of the faulty entry to remove
it from the list. Then enter the correct entry. Do not simply enter the correct
entry without removing the incorrect one. The router processes ACLs in the
order in which you enter the commands, so the faulty entry may continue to
cause problems unless entirely removed.
Monitoring the IKE Process using Debug Commands
To monitor the IKE process, enter:
ProCurve# debug crypto ike
You should deactivate any active debug messages (enter undebug all) before
activating the IKE messages.
You will receive a great many debug messages from IKE as it attempts three
times to establish a connection. Look at the final messages first as these will
give you a clue to the source of the problem. (Table 8-24 gives some examples
of messages that appear due to common problems with the VPN.)
Table 8-24. Debug Messages
Message
NO_PROPOSAL_CHOSEN
IKEStartNegotiation: could
not find an IKE policy to use
Possible Problem
incompatible security
parameters
no IKE policy is configured for
the peer set in the crypto map
entry
Best Next Step
Determine whether
negotiations failed at IKE
phase 1 or phase 2.
Compare peer ID in the crypto
map entry and IKE policy.