ZyXEL Communications 792H User Manual

Prestige 792H G.SHDSL Router

14-28

VPN

Screens

Double exclamation marks (!!) denote an error or warning message.

The following table shows sample log messages during IKE key exchange.

Table 14-13 Sample IKE Key Exchange Logs

LOG MESSAGE

DESCRIPTION

Cannot find outbound SA for rule
<#d>

The packet matches the rule index number (#d), but
Phase 1 or Phase 2 negotiation for outbound (from the
VPN initiator) traffic is not finished yet.

Send Main Mode request to <IP>

Send Aggressive Mode request to <IP>

The Prestige has started negotiation with the peer.

Recv Main Mode request from <IP>

Recv Aggressive Mode request from
<IP>

The Prestige has received an IKE negotiation request
from the peer.

Send:<Symbol><Symbol>

Recv:<Symbol><Symbol>

IKE uses the ISAKMP protocol (refer to RFC2408 –
ISAKMP) to transmit data. Each ISAKMP packet
contains payloads of different types that show in the
log - see Table 14-15.

Phase 1 IKE SA process done

Phase 1 negotiation is finished.

Start Phase 2: Quick Mode

Phase 2 negotiation is beginning using Quick Mode.

!! IKE Negotiation is in process

The Prestige has begun negotiation with the peer for
the connection already, but the IKE key exchange has
not finished yet.

!! Duplicate requests with the same
cookie

The Prestige has received multiple requests from the
same peer but it is still processing the first IKE packet
from that peer.

!! No proposal chosen

The parameters configured for Phase 1 or Phase 2
negotiations don’t match. Please check all protocols
and settings for these phases. For example, one party
may be using 3DES encryption, but the other party is
using DES encryption, so the connection will fail.

!! Verifying Local ID failed

!! Verifying Remote ID failed

During IKE Phase 2 negotiation, both parties
exchange policy details, including local and remote IP
address ranges. If these ranges differ, then the
connection fails.