Home | Troubleshooting |  Quick Setup  |  Cisco How to  |  Data Recovery  |  Forums   | Blog | IT Exam Practice | Services  | About Us | Chicagotech MVP  | Search  | Contact Us  |                 

 

IPSec

Can IPSEC be configured between two computers via Internet
Can't ping remote computer even Linksys router displays "Connect"
How many IPSec tunnels BEFVP41 supports
How to setup Windows IPsec client
IPSec PolicyAgent Service couldn't be started - Event ID 319
IPSec name resolution issue
Flags are outbound only on IPSec Tunnels

How to use Ipsecmon to view the policies of IPSec/L2TP
How to use Netdiag to view the policies of IPSec/L2TP

Negotiating IP Security and never receive Reply
Other computers can't ping remote computers
The ports need to open for IPSec
Time out when using ping command
Troubleshooting IPSec

Can't ping remote computer even Linksys router displays "Connect"

Symptom:
You have setup tow Linksys routers as a gateway to gateway VPN. The both routers display the VPN "Connect". However, you can't ping the remote computer by name or ip, and the log doesn't list any errors.

Causes: 1. Incorrected Secure Group settings.
2. Incorrected Dynamic Routing (Gateway mode or Router Mode).

How many IPSec tunnels BEFVP41 supports

Most Linksys routers support only one IPSec connection at any given time. However, it allows up to 70 IPSec tunnels pass through the router.

How to setup Windows IPsec client

To setup windows IPSec client on w2k/xp, run MMC to add IPSec Security Policies. Right-click on it to create a new IP filter. Make sure both server and client have the same settings such as IP subnet, tunnel IP and authentication methods. For consulting service, contact a consultant.

For consultants, refer to IPSec issue page.

IPSec name resolution issue

Symptom: you setup IPSec to connect two LANs and you can ping each other by IP but name.

Cause: You have a name resolution issue and check the DNS and WINS settings.

For consultants, refer to case 110704RL.

IPSec PolicyAgent Service couldn't be started - Event ID 319

Cause: a 3dr party policy is running. For consultants, please refer to TK082004

Flags are outbound only on IPSec Tunnels

Symptoms: When using netdiag /test::ipsec /debug command to test  IPSec settings on w2k/xp, you nay get two outbound flags instead of one inbound and another outbound.

Resolution: make sure you enter correct endpoint for the tunnels.

How to use Ipsecmon to view the policies of IPSec/L2TP

With a IPSec/L2TP connection , you can use the Ipsecmon utility to view the policies that are in effect. For example, you may see items similar to the following sample output for a default L2TP/IPSec connection (client-to-server or server-to-server):

Policy name: L2TP Rule
Security: ESP DES/CBC HMAC MD5
Filter name: No Name - Mirror
Source address: IP address or name of computer
Dest. address: IP address or name of computer
Protocol: UPD
Src. port: 1701
Dest. port: 0
Tunnel endpoint: <none>

How to use Netdiag to view the policies of IPSec/L2TP

Without an active IPSec/L2TP  connection, you can use netdiag to view the policy of IPSec/L2TP, for example, netdiag /test:ipsec /debug.

Note: The Netdiag tool is available after installing the Windows Support Tools package. This package is located in the Support\Tools folder on the Windows CD-ROM. After you install this package, Netdiag is located in the Program Files\Support Tools folder.

Negotiating IP Security and never receive Reply

Symptom: After created a IPSec Policy, you may receive Negotiating IP Security when you do ping remote computer IP. And you never receive the reply.

Cause: 1. Incorrect Tunnel Settings.
2. NAT/Firewall block the traffic.

For consultants, refer to 101404RL

Other computers can't ping remote computers

Symptom: after created a site to site IPSec connection, you ping the remote computers from the IPSec enabled computer but not other computers.

Resolution: add the routing table for accessing remote computers.

For consultants, refer to 101404RL

The ports need to open for IPSec

IP protocol 51 and 51, and UDP port 500:

Time out when using ping command

Symptom 1:. You have correct windows IPSec client setup and you can ping the remote IP of the VPN without Cisco PIX Firewall. But if your computer behind the PIX, you get time out when attempting to ping the remote IP of the VPN.

Cause 1: the PIX may have the same ip pool as the IP subnet of the remote VPN.

Symptom 2: You are accessing a VPN and is assigned 192.168.1.2. You get time out when attempting to ping the remote computer with IPSec client setup.

Cause 2: The IPSec is using the same IP range as 192.168.1.0. Un-assign IP filter will disable the IPSec.

Symptom 3: After create IPSec policy, you receive Time out when you do ping remote computer.

Cause 3: Incorrect IP Filter List or other IPSec settings.

For consultants, refer to 101404RL

Troubleshooting IPSec

1. Audit Policy: To troubleshoot IPSec when it does not behave the way that you expect it to, first check the results of the Phase One and Phase Two exchanges by enabling Audit Policy, which causes security events to be logged in the security log of the Event Viewer.
2. Netdiag: netdiag /test:ipsec /debug. If both Phases are Outbound or Inbound, check Tunnel Settings.
3. If the logged events indicate that Phase One Main Mode exchange is failing, do both of the following: 1) Check the IKE settings in your IPSec policy properties: Click the General tab, click the Advanced tab, and then click the Methods tab. 2) Check the configured IKE authentication methods in your IPSec policy properties: Select the IP Security rule that you want to check, click Edit, and then click the Authentication Methods tab.
4. If the logged events indicate that Phase Two Quick Mode is failing, check the IPSec security methods configured on your IPSec rules in your IPSec policy properties: Select the IP Security rule that you want to check, click Edit, select the Filter Action tab, select the filter action that is enabled, and then click Edit.
5.
IP Security Monitor: The IP Security Monitor can be used to monitor SAs, IPSec, and IKE statistics. To start IP Security Monitor, click Start, click Run, and then type ipsecmon.
6. Checking Oakley Log: To enable Oakley Log, use Registry Editor to locate the following key in the registry, and if it does not exist, create it:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Add a REG_DWORD value named EnableLogging with a value of 1 to this key. The Oakley.log file is created in the %SystemRoot%\debug folder. NOTE: A value of 0 for EnableLogging disables logging.
7. Check VPN server log.

 


Hit Counter   This web is provided "AS IS" with no warranties.
Copyright © 2002-2018 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.