9.8.2. Troubleshooting Certificates
If certificates have been used in a VPN solution then the following should be looked at as a source
of potential problems:
•
Check that the correct certificates have been used for the right purposes.
•
Check that the certificate .cer and .key files have the same filename. For example, my_cert.key
and my_cert.cer.
•
Check that the certificates have not expired. Certificates have a specific lifetime and when this
expires they cannot be used and new certificates must be issued.
•
Check that the NetDefendOS date and time is set correctly. If the system time and date is wrong
then certificates can appear as being expired when, in fact, they are not.
•
Consider time-zone issues with newly generated certificates. The NetDefend Firewall's time
zone may not be the same as the CA server's time zone and the certificate may not yet be valid
in the local zone.
•
Disable CRL (revocation list) checking to see if CA server access could be the problem. CA
Server issues are discussed further in Section 9.7, “CA Server Access”.
9.8.3. IPsec Troubleshooting Commands
A number of commands can be used to diagnose IPsec tunnels:
The ipsecstat console command
ipsecstat can be used to show that IPsec tunnels have correctly established. A representative
example of output is:
gw-world:/> ipsecstat
--- IPsec SAs:
Displaying one line per SA-bundle
IPsec Tunnel
Local Net
Remote Net
Remote GW
------------
--------------
------------
-------------
L2TP_IPSec
214.237.225.43
84.13.193.179
84.13.193.179
IPsec_Tun1
192.168.0.0/24
172.16.1.0/24
82.242.91.203
To examine the first IKE negotiation phase of tunnel setup use:
gw-world:/> ipsecstat -ike
To get complete details of tunnel setup use:
gw-world:/> ipsecstat -u -v
Warning: Be careful using the -num=all option
When using any IPsec related commands, if there are large numbers of tunnels then
avoid using the -num=all option since this will generate correspondingly large
amounts of output.
For example, with a large number of tunnels avoid using:
9.8.3. IPsec Troubleshooting
Commands
Chapter 9. VPN
484
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...