The Trouble with IPsec VPNs, Part#2: Methodology

A while back, I started blogging on the subject of IPsec troubleshooting. In that blog post, I mentioned that in order to successfully troubleshoot IPsec in a fast and efficient manner it is necessary to have a good knowledge of how IPsec works and to follow a good troubleshooting methodology.

So, in this blog post, I am going to describe a simple and efficient troubleshooting methodology. This methodology is shown in the following figure:

Figure 1: IPsec Troubleshooting Methodology

As you can see from the figure, the first step in troubleshooting IPsec VPNs is to check that IKE phase 1 has been successfully negotiated between your routers. IKE phase 1 (main mode) is used by your routers to negotiate policy parameters and algorithms, exchange keying material and identities, and authenticate each other.

If IKE phase 1 does not complete successfully, then you need to jump in and fix it before moving on to any other potential problems.

Once you have verified successful IKE phase 1 negotiation, you can move on to checking IKE phase 2 (quick mode). IKE phase 2 is used to negotiate IPsec tunnel parameters such as encryption and hashing algorithms.

If IKE phase 2 negotiation doesn't complete successfully, then you now need to take a close look at what's going wrong there.

After IKE phase 2 has completed successfully, your IPsec tunnel will be up - but you still may not be out of the woods. For example, it is possible that user traffic may not transit the tunnel between sites.

If user traffic transport is failing, this is the next thing you need to troubleshoot.

Finally, if you have been through the preceding process and are still having problems then you need to double check your configurations and also verify that you are not falling foul of other issues that may occur with IPsec VPNs.

Next time I'll start to take a closer look at each of these troubleshooting steps, beginning with IKE phase 1.

Mark

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022