Billion BiGuard VPN Client
Chapter 5: Troubleshooting
37
No response to phase 2 requests
120348 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE]
[ID] [ID]
120349 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE]
[ID] [ID]
120351 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE]
[ID] [ID]
120351 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE]
[ID] [ID]
Check algorithms and phase 2 identities (“Local address” and “Network address”). Some
settings must mismatch between the VPN and the VPN gateway.
I clicked on “Open tunnel”, but nothing happens.
Read logs of each VPN tunnel endpoint. IKE requests can be dropped by firewalls. An IPSec
Client uses UDP port 500 and protocol ESP (protocol 50).
The VPN tunnel is up but I can’t ping!
If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines:
1. Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client
IP address should not belong to the remote LAN subnet.
2. Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by
firewall. Check that every device between the client and the VPN server does accept ESP.
3. Check your VPN server logs. Packets can be dropped by one of its firewall rules.
4. Check your ISP support ESP.
5. If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN
computer interface (with Ethereal for example). You will have an indication that encryption
works.
6. Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can
receive pings but does not answer because there is a no “Default gateway” setting.
7. You cannot access to the computers in the LAN by their name. You must specify their IP
address inside the LAN.
We recommend you to install ethereal (http://www.ethereal.com) on one of your target computer.
You can check that your pings arrive inside the LAN.