Troubleshooting A Vpn That Uses Ipsec; Tools And Procedures - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

C a u t i o n

Troubleshooting a VPN That Uses IPSec

When you have correctly configured a VPN, it should quickly go up. You can
verify that the VPN has been established by pinging a location on the remote
network from the local network. The first few packets may be dropped while
IKE negotiates the IPSec SA and establishes the VPN tunnel. However, after
several attempts you should be able to ping the remote location.
If you cannot ping the remote location, you will need to troubleshoot the VPN
connection.

Tools and Procedures

Because you must configure many settings on at least two devices, many of
which must match exactly, it is easy to make a misconfiguration. Searching
for the problem can be frustrating, particularly if you do not know where to
begin looking for it.
The following procedure will help you pinpoint a problem:
1. Check WAN connections.
2. Apply an ACL that permits all traffic to the crypto map.
3. Activate crypto debug messages and reattempt the connection.
Debug messages can be very draining on the router's processor and can
compromise network performance.
4. Compare configurations between the local router and the peer and make
any necessary changes.
5. If you cannot find the peer's settings, return VPN policies to their defaults
and reattempt the connection.
The first step winnows out problems with the Physical (Layer 1) and Data Link
(Layer 2) connection to the Internet. The second step is designed to check for
a problem in selecting traffic for the VPN before you waste time looking for
mismatched security policies. In the third step, you track IKE negotiations to
discover where the process of establishing the connection breaks down. In
the fourth step, you search for mismatched configurations, using the
knowledge you gained in the second step. Fix any misconfigurations so that
Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
8-73