Troubleshooting Ipsec; Ipsec Tips; Ipsec Symptoms, Causes, And Solutions - McAfee SG310 Administration Manual

VPN menu features

Troubleshooting IPSec

192.168.3.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuUCgZGemo... =
On the IPSec offload device:
Add the following line to the file
changes are saved:
AuthorizedKeysFile /etc/config/authorized_keys
Create the file
contents of
Once the above configuration has been completed successfully, when logged in as root on this device,
running the command ssh hostname should display the hostname of the IPSec offload device without
requiring any passwords or prompts. Until this is configured and behaving as described, IPSec offload
configuration will not allow offloading VPN tunnels.
Troubleshooting IPSec

IPSec tips

• Check the process table. When IPSec is enabled, it should show "pluto" is running. Pluto is the
daemon listening on port 500. Check for a LISTEN on UDP port 500:
netstate -na | grep 500
• Use tcpdump to verify traffic. Internal traffic will be unencrypted. External traffic should show UDP 500
during tunnel establishment, and then ESP traffic for encrypted data; or UDP 4500 if NAT-T is negotiated
successfully.
• Review the system log. There will be entries by Pluto with informative data.
• Verify the VPN LED is lit when the VPN tunnel is established (this LED applies to all types of VPN tunnels,
not just IPSec).

IPSec symptoms, causes, and solutions

Symptom: IPSec is not running and is enabled.
Possible cause: The UTM Firewall appliance has not been assigned a default gateway.
Solution: Ensure the appliance has a default gateway by configuring the Internet connection on the
Connect to Internet page or assigning a default gateway on the IP Configuration page.
Symptom: Tunnel is always down even though IPSec is running and the tunnel is enabled.
Possible causes:
• The tunnel is using Manual Keying and the encryption and/or authentication keys are incorrect.
• The tunnel is using Manual Keying and the appliance's and/or remote party's keys do not correspond
to the Cipher and Hash specified.
Solution: Configure a correct set of encryption and/or authentication keys. Select the appropriate
Cipher and Hash that the key have been generated from, or change the keys used to use the selected
Cipher and Hash.
Symptom: Tunnel is always Negotiating Phase 1.
Possible causes:
• The remote party does not have an Internet IP address. A No route to host message is reported in the
system log.
• The remote party has IPSec disabled (a Connection refused message is reported in the system log).
• The remote party does not have a tunnel configured correctly because:
McAfee UTM Firewall 4.0.4 Administration Guide
/etc/config/sshd_config
/etc/config/authorized_keys
/etc/config/id_dsa.pub
using the Management Console to ensure
(or append to it if it already exists) and add into it the
from this offload device (the concentrator).
isakmp
309