Comparing Vpn Policies - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
8-80
To change the initiate mode for IKE, move to the IKE policy configuration
mode context and enter:
Syntax: initiate [main | aggressive]
Invalid Authentication Information. If IKE sends or receives main mode
message 5 again and again, it is unable to authenticate the peer. Check the
preshared key for the peer in the running-configuration:
ProCurve# show running-config
If you are using digital certificates, you should verify that your certificate is
up to date and valid. You might also need to change your CRL. See "Managing
Certificates" on page 8-61 for more information on viewing and deleting digital
certificates.

Comparing VPN Policies

Depending on where you discovered IKE negotiations breaking down, you
should check configurations for:
IKE policies (IKE phase 1)
transform sets (IKE phase 2)
crypto maps (IKE phase 2)
Comparing IKE Policies. All security parameters should match the peer's.
If possible, have your peer attempt to initiate a VPN connection with the local
router. You can then find the settings proposed by the peer in the debug
messages.
When viewing debug messages, first determine whether the proposals are
those of the local or the remote peer. Figure 8-15 shows sample debug
messages that display when the local router initiates IKE with the peer. If the
peer had initiated IKE, the first debug message would have read:
Received first message of main mode
Scroll through the debug messages until you see the message for the relevant
IKE phase: "IANA: for proposal ISAKMP" (phase 1). (See Figure 8-15.)
An Isakmp proposal is the proposal for the IKE SA. In the debug messages,
look underneath the proposal message for the TRANSFORM ATTRIBUTES.
These are the security proposals. Each proposal includes six attributes,
marked "SA Attrib." The actual setting for the attribute is shown below as the
"Value."