Returning Vpn Policies To Their Defaults - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
8-86
You can compare the peer's settings to yours in two ways:
Initiate a connection with the peer and view the debug messages with the
local proposals
View the VPN configurations on the local router for the connection
To view the configuration on the local router, you can view the running-config
as shown above in 8-17. You can also zero in on VPN configurations only by
following these steps:
1. View crypto maps:
ProCurve# show crypto map
Find the map that is set to the peer you are attempting to reach. Pay particular
attention to which transform sets have been assigned to the crypto map entry
used for the connection. You can also compare the PFS group and IPSec SA
lifetime settings with those proposed by the peer.
2. View the transform set:
Syntax: show crypto ipsec transform-set <setname>
For example:
ProCurve# show crypto ipsec transform-set T1
Compare the algorithms in the transform sets used by the crypto map entry
with those proposed by the peer.
If necessary, reconfigure any mismatched IPSec settings by creating a new
transform set or modifying settings in the crypto map entry.

Returning VPN Policies to Their Defaults

It is best to resolve incompatible VPN policies by contacting the remote site
and agreeing upon the settings for both the IKE and IPSec SA. However, if the
connection must go up immediately and you have no way to contact the
remote site, you can return the IKE policy to its defaults in hopes that the peer
is using these default settings.
To return VPN policies to their defaults:
1. Move to the configuration mode context for the IKE policy used to
establish the connection.
2. Create a new attribute policy:
ProCurve(config-crypto-ike)# attribute 90
3. Exit to the global configuration mode context.