Troubleshooting VPN
From Tech-Wiki
Revision as of 16:43, 7 April 2019 by Fabricio.Lima (Talk | contribs)
Review encryption domain, make sure only one IP matches remote peer and also refer to following SK:
In summary:
vpn debug trunc vpn debug ikeon vpn debug on TDERROR_ALL_ALL=5 vpn tu Delete all IPsec+IKE SAs for a given peer (GW) vpn debug ikeoff vpn debug off vpn debug truncoff
collect files:
$FWDIR/log/vpnd.elg $FWDIR/log/ike.elg
Additional debug level might be required using vpn debug mon / moff which will generate the files: $FWDIR/log/ikemonitor.snoop with IKE payload in plain text.
If you are experiencing connectivity issues, you might want to run: fw monitor -e "accept port(500) or port(4500);" -o /var/log/fw_monitor.cap
Or check the egress interface, as the firewall will always use the MainIP as source. This can be adjusted under Inter Operable properties - IPsec VPN - Link Selection - Source IP address settings - Manual - IP address of chosen interface.