EasyManua.ls Logo

D-Link NetDefendOS

D-Link NetDefendOS
912 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
9.8.2. Troubleshooting Certificates
If certificates have been used in a VPN solution then the following should be looked at as a
source of potential problems:
Check that the correct certificates have been used for the right purposes.
Check that the certificate .cer and .key files have the same filename. For example, my_cert.key
and my_cert.cer.
Check that the certificates have not expired. Certificates have a specific lifetime and when
this expires they cannot be used and new certificates must be issued.
Check that the NetDefendOS date and time is set correctly. If the system time and date is
wrong then certificates can appear as being expired when, in fact, they are not.
Consider time-zone issues with newly generated certificates. The NetDefend Firewall's time
zone may not be the same as the CA server's time zone and the certificate may not yet be
valid in the local zone.
Disable CRL (revocation list) checking to see if CA server access could be the problem. CA
Server issues are discussed further in Section 3.9.4, “CA Server Access”.
9.8.3. The ike -stat Command
The ipsec CLI command can be used to show that IPsec tunnels have correctly established. A
representative example of output is:
gw-world:/> ipsec
--- IPsec SAs:
Displaying one line per SA-bundle
IPsec Tunnel Local Net Remote Net Remote GW
------------ -------------- ------------ -------------
L2TP_IPSec 214.237.225.43 84.13.193.179 84.13.193.179
IPsec_Tun1 192.168.0.0/24 172.16.1.0/24 82.242.91.203
To examine the first IKE negotiation phase of tunnel setup use the ike command:
gw-world:/> ike
However, to get complete details of tunnel setup use:
gw-world:/> ipsec -show -verbose -usage
Warning: Be careful using the -num=all option
If there are large numbers of tunnels then avoid using the -num=all option since this
will generate correspondingly large amounts of output.
For example, with a large number of tunnels avoid using:
gw-world:/> ipsec -show -num=all
Another example of what to avoid with many tunnels is:
Chapter 9: VPN
763

Table of Contents

Related product manuals