Mettle Knowledge
Search:     Advanced search
Browse by category:

IPsec VPN Troubleshooting

Views: 2632
Votes: 0
Posted: 18 Jun, 2012
by: Knowledge M.
Updated: 12 Nov, 2012
by: Knowledge M.
Troubleshooting IPsec VPN connection

1 ) Connect to the Internet and ping Mettle SE's WAN IP address to check the connectivity.

2 ) If you see nothing at all in the log when sending traffic, your client is not trying to bring up the tunnel. You probably have an installation problem.

3 )
If you see log messages like "Initiating IKE Phase 1" followed by "Re-transmitting", requests sent by your VPN client to your corporate gateway aren't getting through:

3.1 ) Double-check your client configuration to make sure it specifies the right "Identities" for you and your gateway. Identities are often an e-mail address for you, an IP address for your gateway -- but this varies, so use the settings appropriate for your company's VPN.

3 .2 ) Make sure you can ping Mettle SE. If you have a "UDP ping" tool, verify that UDP port 500 traffic gets to the gateway. If ping or UDP ping are not getting all the way through, ping intermediate hops, starting from your end, to figure out where UDP 500 is being blocked.

4 ) If you see log messages like "Initiating IKE Phase 1" followed by "Hash Payload is incorrect" and "Discarding IKE SA negotiation", your VPN client is failing authentication. Double-check your pre-shared key or digital certificate to make sure they match the settings in Mettle SE.

5 ) If you see log messages like "Initiating IKE Phase 1" followed by "No Proposal Chosen" and "Discarding IKE SA negotiation", your VPN client and Mettle SE have an IKE policy mismatch. Double-check your client security parameters (encryption and authentication algorithms) to make sure they match the settings of Mettle SE.

6 )
If you see log messages like "Established IKE SA", followed by "No Proposal Chosen" and "Discarding IPsec SA negotiation," this indicates an IPsec policy mismatch - see point # 5

7 ) If you see log messages like "Loading IPsec SA" or "IKE Phase 2 Completed," but still aren't able to communicate with your corporate server, then your tunnel is up but tunnelled packets are possibly being blocked, corrupted, or misrouted:

7.1 )
AH or ESP (protocols 50 or 51) may be blocked by a firewall between you and your corporate gateway.

7.2 )
Network/Port Address Translation (NAT/PAT) may be occurring somewhere in that path.

7.3 )
There may be a problem with routing, preventing response packets from tunnelling back to you.

If the VPN gateway isn't seeing incoming packets on your tunnel, you're probably stuck at 7.1. If your gateway is discarding incoming packets to your tunnel, you're probably encountering 7.2. Give your local ISP or DSL/cable provider a call to work out these problems. If the VPN gateway is seeing incoming but not outgoing packets through your tunnel, suspect 7.3 and tell your company's network administrator.

Actual text in your VPN log may be different from what mentioned in this Knowledge base article, but the meaning would be the same.
Others in this Category
document Setting Up IPsec VPN
document Choosing a VPN Technology
document Setting up IPSec Tunnel
document Setting Up an IPSec VPN Client: Example Given Using Shrewsoft VPN Client