Configure Microsoft® Windows XP** Virtual Private Network (VPN) client interoperability with NAT-T support 20
VPN Testing, Verification and Troubleshooting
If your VPN tunnel is not successful, the following troubleshooting notes will help establish the
cause of the problem.
If needed, you may contact your Allied Telesyn distributor or reseller, or your local Allied Telesyn
support desk for assistance.
Testing an IPSec tunnel on your router
This first section looks at troubleshooting your router.
Before starting the verification commands below, recheck your router configuration using the
command sh conf dyn.
The “IP local” IP address is best left at default. If “IP local” is set to an address other default, this
may invalidate ISAKMP negotiation. Use the command:
set ip local ip=0.0.0.0
It is good practice to confirm that traffic is being encrypted. A good initial check is to observe the
ISAKMP negotiation entries in the system log using the command sh log. There will be several
phases of negotiation, and they should indicate successful completion. If you can see no negotiation
entries in the log, or if you only see an initial start and no completed phases, then this suggests a
configuration error, or no ISAKMP negotiation received from the peer. Checking, with the
command sh fire event, will allow you to see what traffic has been received from the peer, and if it
has been allowed by the firewall. You may also confirm ISAKMP and IPSec progress with the
sh isakmp sa and sh ipsec sa commands, plus the sh isakmp exchange command.
Confirmation that traffic is actually being encrypted is best seen by using a counter command such
as sh ipsec poli=to_hq count. Every time you ping a set of 4 pings, the “outProcessDone”
counters (in the Outbound Packet Processing Counters section) should increment by 4. Also, the
echo reply traffic should cause the “inProcessDone” counters (in the Inbound Packet Processing
Counters section) to increment by 4.
It is important that the IPSec policies are configured in the correct order.
If you have a “permit” IPSec policy with open policy address selectors, (intended to allow
unencrypted Internet access), then this policy must be configured last – after the action=ipsec
policies command. Otherwise this permit policy will process all traffic and no traffic will be
encrypted. The order of the IPSec policies can be checked by the sh ipsec poli command. In the
output of this command, each policy is assigned a position number.
i
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales