Checking Wan Connections - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Checking WAN Connections

Before you waste time searching through convoluted configurations for an
error, you should verify that your connection to the Internet (or other public
network) is up.
Check that the Physical (Layer 1) connection is good and the Data Link (Layer
2) state is open. See the Basic Management and Configuration Guide,
Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial
Interfaces or Chapter 7: ADSL WAN Connections for tips on troubleshooting
a WAN connection.
Determining the Source of the Problem: Permitting All Traffic in
a VPN
Problems with VPN configurations can be broken down into two general
categories:
mismatched security parameters
problems with the network addressing, including errors in:
• peer's ID
• networks permitted to access the VPN tunnel
Often you will have reason to believe that mismatched security parameters
are a problem. A debug message such as "NO_PROPOSAL_CHOSEN" will
appear.
However, when you do not know where to start looking for a problem, it is
often advisable to rule out problems with network addressing before search-
ing through the many security parameters.
Permitting all traffic in the VPN allows you to determine whether you can
reach the peer at all.
Move to the configuration mode context for the ACL that selects VPN traffic.
Add an entry that permits all traffic:
ProCurve(config-ext-nacl)# permit ip any any
Again attempt to make the connection. If the tunnel remains shut, incompat-
ible security policies are most likely at fault. (It is also possible that the ACL
has a "deny ip any any" entry at the beginning.)
However, if the tunnel opens, then you know that you have a problem with
the ACL. Enter:
Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
8-75