D-Link DFL-260 Product Manual - Page 439
Management Interface Failure with VPN, 9.7.5. Specific Error Messages, console command
UPC - 790069296802
View all D-Link DFL-260 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 439 highlights
9.7.4. Management Interface Failure with VPN Chapter 9. VPN Another example of what to avoid with many tunnels is: gw-world:/> ipsectunnels -num=all In these circumstances, using the option with a small number, for example -num=10, is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is unacceptable to the device at the other end of the tunnel. The ikesnoop command is a useful tool for diagnosing incompatible algorithm proposal lists by showing the details of negotiations during tunnel setup. The basic form of this command is: gw-world:/> ikesnoop -on -verbose Once issued, an ICMP ping can then be sent to the NetDefend Firewall from the remote end of the tunnel. This will cause ikesnoop to output details of the tunnel setup negotiation to the console and any algorithm proposal list incompatibilities can be seen. If there are multiple tunnels in a setup or multiple clients on a single tunnel then the output from verbose option can be overwhelming. It is therefore better to specify that the output comes from a single tunnel by specifying the IP address of the tunnel's endpoint (this is either the IP of the remote endpoint or a client's IP address). The command takes the form: gw-world:/> ikesnoop -on -verbose Ikesnoop can be turned off with the command: gw-world:/> ikesnoop -off For a more detailed discussion of this topic, see Section 9.4.5, "Troubleshooting with ikesnoop". 9.7.4. Management Interface Failure with VPN If any VPN tunnel is set up and then the management interface no longer operates then it is likely to be a problem with the management traffic being routed back through the VPN tunnel instead of the correct interface. This happens when a route is established in the main routing table which routes any traffic for all-nets through the VPN tunnel. If the management interface is not reached by the VPN tunnel then the administrator needs to create a specific route that routes management interface traffic leaving the NetDefend Firewall back to the management sub-network. When any VPN tunnel is defined, an all-nets route is automatically defined in the routing table so the administrator should always set up a specific route for the management interface to be correctly routed. 9.7.5. Specific Error Messages This section will deal with specific error messages that can appear with VPN and what they indicate. The messages discussed are: 1. Could not find acceptable proposal / no proposal chosen. 2. Incorrect pre-shared key. 3. Ike_invalid_payload, Ike_invalid_cookie. 4. Payload_Malformed. 5. No public key found. 439