system logging console enable
system logging console priority debug
3.
To debug the DHCP client, enter:
debug dhcp-client
4. To display the firewall configuration, enter:
show firewall policy corp
show firewall policy internet
You must verify that the following policies exist:
• You require an internet firewall policy allowing ISAKMP packets from the VPN
peer to the local VPN endpoint.
The following is a sample configuration:
firewall internet
Policy 100 in permit service ike self
A
static VPN policy generally requires the configuration of a static IP address.
However, since the IP address with VPN ABOT is not static, no IP address is
specified.
• In cases where there is a NAT in the middle between the VPN peers, you also
require an internet firewall policy that allows IKE self connections to UDP port
4500, to support NAT traversal.
The following is a sample configuration:
firewall internet
policy 101 in permit protocol udp port any 4500 self
(In cases where the NAT is enabled on one of the peers, you do not need to
open port 4500.)
• You
also require a corp firewall policy that allows data packets from the remote
VPN protected network (for example 30.1.1.0/24) to the local VPN protected
network (for example, 10.1.1.0/24).
The following is a sample configuration:
firewall corp
policy 200 in permit address 30.1.1.0 24 10.1.1.0 24
This last configuration is the same as that required for non-ABOT static
VPN.
5.
To verify the VPN configuration by displaying the IKE policy, enter:
show crypto ike policy all detail
Confirm that the IKE proposal properties match on the peers. Also, as the local
public address is obtained through DHCP, be sure to specify a local ID in order to
have a local identifier for IKE negotiation and authentication in phase 1. The local-
address must be configured as 0.0.0.0.
Troubleshooting security
216 Troubleshooting August 2013
Comments? infodev@avaya.com
To Next Page
Loading...
