Message
• IkeGetPreSharedKey
failed
• IKEIDWaitProcess
The key to interpreting debug messages in order to pinpoint a problem with
a VPN connection is understanding how IPSec, and particularly IKE, establish
the VPN tunnel. IKE follows a set process for communicating with and
authenticating a peer, negotiating security parameters, and bringing up first
the IKE SA and then the IPSec SA, or VPN tunnel. By tracking this process,
you can pinpoint exactly where the IKE negotiations derail. You will then
know where to look for a misconfiguration.
IKE completes the following steps:
1.
IKE phase 1 (main or aggressive mode)
a.
proposes (or accepts) security parameters (main mode messages 1
or 2, aggressive mode message 1 or 2) including:
i.
a hash algorithm
ii. a encryption algorithm
iii. an authentication method
iv. an IKE SA lifetime
b. generates keys using Diffie-Hellman key exchange (main mode mes-
sage 3 or 4, aggressive mode message 1 or 2)
c.
authenticates the peer and establishes the IKE SA (main mode mes-
sage 5 or 6, aggressive mode message 3)
2.
IKE phase 2 (quick mode)
a.
proposes (or accepts) security parameters including:
i.
a hash algorithm (optional for ESP)
ii. an encryption algorithm (optional for AH)
iii. an IPSec SA lifetime
b. generates keys
c.
establishes the IPSec SA
Troubleshooting a VPN That Uses IPSec
Possible Problem
invalid authentication
information
Virtual Private Networks
Best Next Step
• Double-check your
preshared key with your
peer.
• Double-check the ID in the
remote ID list and verify
that it matches the peer's.
If you are using digital
certificates, make sure
that the remote ID exactly
matches that in authorized
certificates.
• Renew your certificate
and CRL.
8-77