Specifications
OmniAccess Reference: AOS-W System Reference
526 Part 031652-00 May 2005
transform: esp-3des esp-sha-hmac
If there is an initiator IP that matches the client’s IP, it means the client
successfully started IPSec authentication. Otherwise, check the IKE pre-shared
key on the crypto isakmp key command and vpn-dialer default-dialer
command. The two must match.
On the switch, enter:
(Alcatel6000) #show crypto ipsec sa
Responder IP 10.1.1.158
Initiator IP 10.1.1.103
Initiator cookie 0a6c4974a8538522 Responder cookie dc42860c619f3ac4
Life secs 7200
transform: esp-3des esp-sha-hmac
If there is an initiator IP that matches the client’s IP, then that means the client
is successfully doing IPSec encryption but may have trouble authenticating the
actual user foo.)
On the switch, enter:
(Alcatel6000) #show vpdn l2tp pool
IP addresses used in pool vpnaddr
2.2.2.1
1 IPs used - 253 IPs free
If there are no IP addresses free, then you’ve run out of IP addresses for VPN.
If the dialer continues Logging On but then fails, the username/password is
either incorrect or the RADIUS server is unreachable. If you are using a RSA
SecurID, then the user’s ID may have been locked out. Check the RSA SecurID
server.
If the dialer connects, but no traffic goes through from applications, make sure
the inner IP pool is routable. The only way to check this is to sniff between the
router and switch.
N
OTE—Just because the switch IP can ping the default router doesn’t mean the
VPN IP pool is routable. Check the router. There may be OSPF or other
issues.