HP 7102dl - ProCurve Secure Router Configuration Manual page 571

Table 10-24. Debug Messages
Message
NO_PROPOSAL_CHOSEN
IKEStartNegotiation: could
not find an IKE policy to use
• IkeGetPreSharedKey
failed
• IKEIDWaitProcess
The key to interpreting debug messages in order to pinpoint a problem with
a VPN connection is understanding how IPSec, and particularly IKE, establish
the VPN tunnel. IKE follows a set process for communicating with and
authenticating a peer, negotiating security parameters, and bringing up first
the IKE SA and then the IPSec SA, or VPN tunnel. By tracking this process,
you can pinpoint exactly where the IKE negotiations derail. You will then
know where to look for a misconfiguration.
IKE completes the following steps:
1. IKE phase 1 (main or aggressive mode)
a. proposes (or accepts) security parameters (main mode messages 1
or 2, aggressive mode message 1 or 2) including:
i. a hash algorithm
ii. a encryption algorithm
iii. an authentication method
iv. an IKE SA lifetime
b. generates keys using Diffie-Hellman key exchange (main mode mes-
sage 3 or 4, aggressive mode message 1 or 2)
c. authenticates the peer and establishes the IKE SA (main mode mes-
sage 5 or 6, aggressive mode message 3)
Troubleshooting a VPN That Uses IPSec
Possible Problem
incompatible security
parameters
no IKE policy is configured for
the peer set in the crypto map
entry
invalid authentication
information
Virtual Private Networks
Best Next Step
Determine whether
negotiations failed at IKE
phase 1 or phase 2.
Compare peer ID in the crypto
map entry and IKE policy.
• Double-check your
preshared key with your
peer.
• Double-check the ID in the
remote ID list and verify
that it matches the peer's.
If you are using digital
certificates, make sure
that the remote ID exactly
matches that in authorized
certificates.
• Renew your certificate
and CRL.
10-77