7
IPsec VPN
143
Turning off certificate validation
One
of
the
ways
to
troubleshoot
problems
with
CA
server
access
is
to
turn
off
the
requirement
to
validate
certificates.
By
default,
checking
is
always
enabled.
Attempts
to
access
CA
servers
by
the
SEG
can
be
disabled
by
setting
the
CRL
option
for
a
certificate
object
to
No
(the
default
is
Yes
).
For
example:
Device:/>
set
Certificate
my_cert
CRL=No
This
means
that
checking
against
the
CA
server's
revocation
list
(CRL)
will
be
turned
off
and
access
to
the
server
will
not
be
attempted.
When
switching
off
CRL
checking,
it
may
not
be
necessary
to
apply
the
CRL=No
option
to
all
certificates.
This
option
follows
the
chain
of
certificate
dependency.
If
it
is
applied
to
the
root
certificate
of
the
chain,
it
is
automatically
applied
to
all
dependent
certificates.
IPsec troubleshooting
This
section
deals
with
how
to
troubleshoot
the
common
problems
that
are
found
with
VPN.
General troubleshooting
In
all
types
of
VPNs
some
basic
troubleshooting
checks
can
be
made:
•
Check
that
all
IP
addresses
have
been
specified
correctly.
•
Check
that
all
pre
‐
shared
keys
and
usernames/passwords
are
correctly
entered.
•
Use
ICMP
Ping
to
confirm
that
the
tunnel
is
working.
With
roaming
clients
this
is
best
done
by
“Pinging”
the
internal
IP
address
of
the
local
network
interface
on
the
SEG
from
a
client
(in
LAN
to
LAN
setups
pinging
could
be
done
in
any
direction).
If
the
SEG
is
to
respond
to
a
Ping
then
the
following
rule
must
exist
in
the
IP
rule
set:
•
Ensure
that
another
IPsec
Tunnel
definition
is
not
preventing
the
correct
definition
being
reached.
The
tunnel
list
is
scanned
from
top
to
bottom
by
the
SEG
and
a
tunnel
in
a
higher
position
with
the
Remote
Network
set
to
all
‐
nets
and
the
Remote
Endpoint
set
to
none
could
prevent
the
correct
tunnel
being
reached.
A
symptom
of
this
is
often
an
Incorrect
Pre
‐
shared
Key
message.
Action
Src Interface
Src Network
Dest Interface
Dest Network
Service
Allow vpn_tunnel
all-nets core all-nets ICMP
