HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 464
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
8-78
When you scan debug messages for clues to the source of a problem, pay
particular attention to messages that indicate the step that IKE is performing.
You can then determine what settings you need to modify. You will learn more
about specific problems and debug messages in the following pages.
IKE phase 2 problems are nearly always caused by incompatible security
proposals for the IPSec SA. IKE phase 1, on the other hand, involves more
steps and can go wrong in various ways. If you determine that problems begin
in IKE phase 1, you should then zero in on the message that fails. Look for the
message that IKE sends over and over. (See Table 8-25.)
Table 8-25. IKE Debug Messages
Message That Repeats
main mode message 1
main mode message 5
aggressive mode message 1
aggressive mode message 3
quick mode message 1
Incompatible Security Parameters. When you receive the
NO_PROPOSAL_CHOSEN message, you need to determine which proposal
was incompatible: the proposal sent during IKE phase 1 for the IKE SA or the
proposal sent during IKE phase 2 for the IPSec SA.
A quick way to determine which phase failed is to enter:
ProCurve# show crypto ike sa
If the CLI shows an IKE SA for the connection, you know that it at least
completed IKE phase 1.
You can also scroll through the debug messages looking for signs of the IKE
phase that generated the problems. (See Table 8-25 above.) Look for messages
that repeat several times—for example, "sending main mode message 1"; they
indicate that the router cannot complete the step. Table 8-26 shows other
messages associated with problems in a particular IKE phase.
Possible Problem
incompatible IKE modes or
security parameters
invalid authentication
information
incompatible IKE modes or
security parameters
invalid authentication
information
incompatible IPSec security
parameters
Best Next Step
Compare IKE attribute policy
with the peer's settings.
Double-check preshared
keys and certificates.
Compare IKE attribute policy
with peer's settings.
Double-check preshared
keys and certificates.
Compare crypto map entry
and transform set settings
with the peer's settings.
Advertisement
Chapters
Table of Contents
Troubleshooting
