SnapGear 2.0.1 User Manual

Virtual Private Networking

149

Solution: Confirm that the remote party has IPSec and the tunnel enabled and has
an Internet IP address. Ensure that the CyberGuard SG appliance has rekeying
enabled. If the tunnel still goes down after a period of time, it may be due to the
CyberGuard SG appliance and remote party not recognising the need to renegotiate
the tunnel. This situation arises when the remote party is configured to accept
incoming tunnel connections (as opposed to initiate tunnel connections) and reboots.
The tunnel has no ability to let the other party know that a tunnel renegotiation is
required. This is an inherent drawback to the IPSec protocol. Different vendors have
implemented their own proprietry method to support the ability to detect whether to
renegotiate the tunnel. Dead peet detection has been implemented based on the
draft produced by Cisco Systems (draft-ietf-ipsec-dpd-00.txt). Unfortunately, unless
the remote party implements this draft, the only method to renegotiate the tunnel is to
reduce the key lifetimes for Phase 1 and Phase 2 for Automatic Keying (IKE). This
does not occur for Manual Keying.

•

Symptom: Dead Peer Detection does not seem to be working

Possible Cause: The tunnel has Dead Peer Detection disabled.

The remote party does not support Dead Peer Detection according to draft-ietf-ipsec-
dpd-00.txt

Solution: Enable Dead Peer Detection support for the tunnel. Unless the remote
party supports draft-ietf-ipsec-dpd-00.txt, Dead Peer Detection will not be used.

•

Symptom: Tunnels using x.509 certificate authentication do not work

Possible Cause: The date and time settings on the CyberGuard SG appliance has
not been configured correctly.

The certificates have expired.

The Distinguished Name of the remote party has not be configured correctly on the
CyberGuard SG appliance's tunnel.

The certificates do not authenticate correctly against the CA certificate.

The remote party's settings are incorrect.

Solution: Confirm that the certificates are valid. Confirm also that the remote party's
tunnel settings are correct. Check the Distinguished Name entry in the the
CyberGuard SG appliance's tunnel configuration is correct.

•

Symptom: Remote hosts can be accessed using IP address but not by name

Possible cause: Windows network browsing broadcasts are not being transmitted
through the tunnel.

Solution: Set up a WINS server and use it to have the remote hosts resolve names
to IP addresses.