Comparing Vpn Policies - HP 7102dl - ProCurve Secure Router Configuration Manual

Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
10-80
To check the peer ID in an IKE policy or crypto map entry, enter commands
such as the following:
Syntax: show crypto map [<mapname> <mapindex>]
Syntax: show crypto ike policy
You can also view all crypto maps by entering the show crypto map command
without a mapname and index.
To change the initiate mode for IKE, move to the IKE policy configuration
mode context and enter:
Syntax: initiate [main | aggressive]
Invalid Authentication Information. If IKE sends or receives main mode
message 5 again and again, it is unable to authenticate the peer. Check the
preshared key for the peer in the running-configuration:
ProCurve# show running-config
If you are using digital certificates, you should verify that your certificate is
up to date and valid. You might also need to change your CRL. See "Managing
Certificates" on page 10-61 for more information on viewing and deleting
digital certificates.

Comparing VPN Policies

Depending on where you discovered IKE negotiations breaking down, you
should check configurations for:
IKE policies (IKE phase 1)
transform sets (IKE phase 2)
crypto maps (IKE phase 2)
Comparing IKE Policies. All security parameters should match the peer's.
If possible, have your peer attempt to initiate a VPN connection with the local
router. You can then find the settings proposed by the peer in the debug
messages.
When viewing debug messages, first determine whether the proposals are
those of the local or the remote peer. Figure 10-15 shows sample debug
messages that display when the local router initiates IKE with the peer. If the
peer had initiated IKE, the first debug message would have read:
Received first message of main mode