User manual
Symptom: Tunnel goes down after a while
Possible Cause: The remote party has gone down.
The remote party has disabled IPSec.
The remote party has disabled the tunnel.
The tunnel on the SnapGear unit has been configured not to rekey the tunnel.
The remote party is not rekeying correctly with the SnapGear unit.
Solution: Confirm that the remote party has IPSec and the tunnel enabled and has
an Internet IP address. Ensure that the SnapGear unit has rekeying enabled. If the
tunnel still goes down after a period of time, it may be due to the SnapGear unit and
remote party not recognising the need to renegotiate the tunnel. This situation arises
when the remote party is configured to accept incoming tunnel connections (as
opposed to initiate tunnel connections) and reboots. The tunnel has no ability to let
the other party know that a tunnel renegotiation is required. This is an inherent
drawback to the IPSec protocol. Different vendors have implemented their own
proprietry method to support the ability to detect whether to renegotiate the tunnel.
Dead peer detection has been implemented based on the draft produced by Cisco
Systems (draft-ietf-IPSec-dpd-00.txt). Unfortunately, unless the remote party
implements this draft, the only method to renegotiate the tunnel is to reduce the key
lifetimes for Phase 1 and Phase 2 for Automatic Keying (IKE). This does not occur
for Manual Keying.
Symptom: Dead Peer Detection does not seem to be working
Possible Cause: The tunnel has Dead Peer Detection disabled.
The remote party does not support Dead Peer Detection according to draft-ietf-IPSec-
dpd-00.txt
Solution: Enable Dead Peer Detection support for the tunnel. Do not use Dead Peer
Detection if the remote party does not support draft-ietf-IPSec-dpd-00.txt.
Symptom: Tunnels using x.509 certificate authentication do not work
Possible Cause: The date and time settings on the SnapGear unit has not been
configured correctly.
The certificates have expired.
The Distinguished Name of the remote party has not be configured correctly on the
SnapGear unit’s tunnel.
The certificates do not authenticate correctly against the CA certificate.
The remote party's settings are incorrect.
Solution: Confirm that the certificates are valid. Confirm also that the remote party's
tunnel settings are correct. Check the Distinguished Name entry in the the SnapGear
unit’s tunnel configuration is correct.
Symptom: Remote hosts can be accessed using IP address but not by name
249
Virtual Private Networking