Troubleshooting IPsec VPN clients
Are you a traveler or teleworker, trying to bring up an IPsec VPN tunnel to your company's network without success? Here are a few troubleshooting hints:
1) Connect to the Internet and send traffic towards your company's network (for example, ping a server or check email). Use the log viewer on your VPN client or box to see how far you're getting.
2) If you see nothing at all in the log when sending traffic, your client/box is not trying to bring up the tunnel. You probably have an installation problem -- call tech support.
3) If you see log messages like "Initiating IKE Phase 1" followed by "Re-transmitting", requests sent by your VPN client/box to your corporate gateway aren't getting through:
3a) Double-check your client/box configuration to make sure it specifies the right "Identities" for you and your gateway. Identities are often an e-mail address for you, an IP address for your gateway -- but this varies, so use the settings appropriate for your company's VPN.
3b) Make sure you can ping the corporate VPN gateway (or something nearby). If you have a "UDP ping" tool, verify that UDP port 500 traffic gets to the gateway. If ping or UDP ping are not getting all the way through, ping intermediate hops, starting from your end, to figure out where UDP 500 is being blocked.
4) If you see log messages like "Initiating IKE Phase 1" followed by "Hash Payload is incorrect" and "Discarding IKE SA negotiation", your VPN client/box is failing authentication. Double-check your pre-shared secret or digital certificate to make sure they match the settings required by your company.
5) If you see log messages like "Initiating IKE Phase 1" followed by "No Proposal Chosen" and "Discarding IKE SA negotiation", your VPN client/box and corporate gateway have an IKE policy mismatch. Double-check your client/box security parameters (encryption and authentication algorithms) to make sure they match the settings required by your company.
6) If you see log messages like "Established IKE SA", followed by "No Proposal Chosen" and "Discarding IPsec SA negotiation," this indicates an IPsec policy mismatch - see 5) above.
7) If you see log messages like "Loading IPsec SA" or "IKE Phase 2 Completed," but still aren't able to communicate with your mail or other corporate network server, then your tunnel is up but tunneled packets are possibly being blocked, corrupted, or misrouted:
7a) AH or ESP (protocols 50 or 51) may be blocked by a firewall between you and your corporate gateway.
7b) Network/Port Address Translation (NAT/PAT) may be occurring somewhere in that path.
7c) There may be a problem with routing, preventing response packets from tunneling back to you.
If the corporate VPN gateway isn't seeing incoming packets on your tunnel,
you're probably hitting a). If your gateway is discarding incoming packets
to your tunnel, you're probably encountering b). Give your local ISP or DSL/cable provider a call to work out these problems. If the VPN gateway is seeing incoming but not outgoing packets through your tunnel, suspect c) and tell your company's network admin.
These log examples are based on SafeNet's IPsec VPN client -- the client OEM'ed by many VPN equipment suppliers. If your company gave you a different IPsec VPN client or box, the actual text in your log will be different, but this flow (IKE/Phase 1 initiation, IKE/Phase 1 SA, IPsec/Phase 2 SA) and the protocol and port numbers they require are probably the same.
This was first published in October 2001
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.