The remote party does not have a tunnel configured correctly because:
oThe tunnel has not been configured.
oThe Phase 1 proposals do not match.
oThe secrets do not match.
oThe RSA key signatures have been incorrectly configured.
oThe Distinguished Name of the remote party has not be configured correctly.
oThe Endpoint IDs do not match.
oThe remote IP address or DNS hostname has been incorrectly entered.
oThe certificates do not authenticate correctly against the CA certificate.
Solution: Ensure that the tunnel settings for the CyberGuard SG appliance and the remote party are configured correctly. Also ensure that both have IPSec enabled and have Internet IP addresses. Check that the CA has signed the certificates.
∙Symptom: Tunnel is always Negotiating Phase 2
Possible Cause: The Phase 2 proposals set for the CyberGuard SG appliance and the remote party do not match.
The local and remote subnets do not match.
Solution: Ensure that the tunnel settings for the CyberGuard SG appliance and the remote party are configured correctly.
∙Symptom: Large packets don't seem to get transmitted
Possible Cause: The MTU of the IPSec interface is too large.
Solution: Reduce the MTU of the IPSec interface.
∙Symptom: Tunnel goes down after a while
Possible Cause: The remote party has gone down. The remote party has disabled IPSec.
The remote party has disabled the tunnel.
The tunnel on the CyberGuard SG appliance has been configured not to rekey the tunnel.
The remote party is not rekeying correctly with the CyberGuard SG appliance.