Filter
Top Products
• If multiple similar or roaming tunnels exist and you want to separate them using ID lists, a
possible cause can be that none of the ID lists match the certificate properties of the connecting
user. Either the user is non-authorized or the certificate properties are wrong on the client or the
ID list needs to be updated with this user/information.
• With L2TP, the client certificate is imported into the wrong certificate store on the Windows
client. When the client connects, it is using the wrong certificate.
9.7.6. Specific Symptoms
There are two specific symptoms that will be discussed in this section:
1. The tunnel can only be initiated from one side.
2. The tunnel is unable to be set up and the ikesnoop command reports a config mode XAuth
problem even though XAuth is not used.
1. The tunnel can only be initiated from one side
This is a common problem and is due to a mismatch of the size in local or remote network and/or
the lifetime settings on the proposal list(s).
To troubleshoot this you need to examine the settings for the local network, remote network, IKE
proposal list and IPsec proposal list on both sides to try to identify a miss-match.
For example, suppose we have the following IPsec settings at either end of a tunnel:
• Side A
Local Network = 192.168.10.0/24
Remote Network = 10.10.10.0/24
• Side B
Local Network = 10.10.10.0/24
Remote Network = 192.168.10.0/16
In this scenario you will see that the defined remote network on Side B is larger than that defined
for Side A's local network. This means that Side A can only initiate the tunnel successfully towards
Site B as its network is smaller. When Side B tries to initiate the tunnel, Side A will reject it
because the network is bigger than what is defined. The reason it works the other way around is
because a smaller network is considered more secure and will be accepted. This also applies to the
lifetimes in the proposal lists.
2. Unable to set up with config mode and getting a spurious XAuth message
The reason for this message is basically "No proposal chosen". The case where this will appear is
when there is something that fails in terms of network size on either local network or remote
network. Since NetDefendOS has determined that it is a type of network size problem, it will try one
last attempt to get the correct network by sending a config mode request.
By using ikesnoop when both sides initiate the tunnel, you should easily be able to compare the
network that both sides are sending in phase-2. With that information you should be able to spot the
network problem. It can be that it's a network size mismatch or that it doesn't match at all.
9.7.6. Specific Symptoms Chapter 9. VPN
442