Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that the CyberGuard SG appliance has rekeying enabled. If the tunnel still goes down after a period of time, it may be due to the CyberGuard SG appliance and remote party not recognising the need to renegotiate the tunnel. This situation arises when the remote party is configured to accept incoming tunnel connections (as opposed to initiate tunnel connections) and reboots. The tunnel has no ability to let the other party know that a tunnel renegotiation is required. This is an inherent drawback to the IPSec protocol. Different vendors have implemented their own proprietry method to support the ability to detect whether to renegotiate the tunnel. Dead peet detection has been implemented based on the draft produced by Cisco Systems (draft-ietf-ipsec-dpd-00.txt). Unfortunately, unless the remote party implements this draft, the only method to renegotiate the tunnel is to reduce the key lifetimes for Phase 1 and Phase 2 for Automatic Keying (IKE). This does not occur for Manual Keying.

Symptom: Dead Peer Detection does not seem to be working

Possible Cause: The tunnel has Dead Peer Detection disabled.

The remote party does not support Dead Peer Detection according to draft-ietf-ipsec-dpd-00.txt

Solution: Enable Dead Peer Detection support for the tunnel. Unless the remote party supports draft-ietf-ipsec-dpd-00.txt, Dead Peer Detection will not be used.

Symptom: Tunnels using x.509 certificate authentication do not work

Possible Cause: The date and time settings on the CyberGuard SG appliance has not been configured correctly.

The certificates have expired.

The Distinguished Name of the remote party has not be configured correctly on the CyberGuard SG appliance's tunnel.

The certificates do not authenticate correctly against the CA certificate. The remote party's settings are incorrect.

Solution: Confirm that the certificates are valid. Confirm also that the remote party's tunnel settings are correct. Check the Distinguished Name entry in the the CyberGuard SG appliance's tunnel configuration is correct.

Symptom: Remote hosts can be accessed using IP address but not by name

Possible cause: Windows network browsing broadcasts are not being transmitted through the tunnel.

Solution: Set up a WINS server and use it to have the remote hosts resolve names to IP addresses.

149

Virtual Private Networking

Page 152 Page 154
Page 153
Image 153
SnapGear 2.0.1 user manual Virtual Private Networking
Page 152 Page 154
Top Page Image Contents