User manual

ManualsBrandsSecure Computing ManualsComputer equipmentSG550

231

232

233

234

235

236

237

238

239

240

Virtual Private Networking

235

Solution: Ensure that the tunnel settings for the SG unit and the remote party are

configured correctly.

• Symptom: The tunnel appears to be up and I can ping across it, but HTTP, FTP,

SSH, telnet, etc. don’t work

Possible Cause: The MTU of the IPSec interface is too large.

Solution: Reduce the MTU of the IPSec interface.

• Symptom: Tunnel goes down after a while

Possible Cause: The remote party has gone down.

The remote party has disabled IPSec.

The remote party has disabled the tunnel.

The tunnel on the SG unit has been configured not to rekey the tunnel.

The remote party is not rekeying correctly with the SG unit.

Solution: Confirm that the remote party has IPSec and the tunnel enabled and has

an Internet IP address. Ensure that the SG unit has rekeying enabled. If the tunnel

still goes down after a period of time, it may be due to the SG unit and remote party

not recognising the need to renegotiate the tunnel. This situation arises when the

remote party is configured to accept incoming tunnel connections (as opposed to

initiate tunnel connections) and reboots. The tunnel has no ability to let the other

party know that a tunnel renegotiation is required. This is an inherent drawback to

the IPSec protocol. Different vendors have implemented their own proprietry method

to support the ability to detect whether to renegotiate the tunnel. Dead peer detection

has been implemented based on the draft produced by Cisco Systems (draft-ietf-

ipsec-dpd-00.txt). Unfortunately, unless the remote party implements this draft, the

only method to renegotiate the tunnel is to reduce the key lifetimes for Phase 1 and

Phase 2 for Automatic Keying (IKE). This does not occur for Manual Keying.

• Symptom: Dead Peer Detection does not seem to be working

Possible Cause: The tunnel has Dead Peer Detection disabled.

The remote party does not support Dead Peer Detection according to draft-ietf-ipsec-

dpd-00.txt

Solution: Enable Dead Peer Detection support for the tunnel. Do not use Dead Peer

Detection if the remote party does not support draft-ietf-ipsec-dpd-00.txt.

• Symptom: Tunnels using x.509 certificate authentication do not work

Possible Cause: The date and time settings on the SG unit has not been configured

correctly.

The certificates have expired.

The Distinguished Name of the remote party has not be configured correctly on the

SG unit's tunnel.

The certificates do not authenticate correctly against the CA certificate.