[TABS_R id=8782]
You are troubleshooting IPSec VPN connectivity between two sites. From the local router, you are able to ping the remote tunnel endpoint.
Which of the following steps should you perform next? (Select the best answer.)
- Issue the traceroute command to trace the route to the tunnel endpoint.
- Verify that the IKE policies match on both peers.
- Verify that the peers successfully authenticate one another.
- Reboot both devices.
Explanation:
If you are able to ping the remote tunnel endpoint, you should verify that the Internet Key Exchange (IKE) policies match on both peers. Issuing the show crypto isakmp policycommand will display the IKE phase 1 policy settings that are configured on the router, including the encryption algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and security association (SA) lifetime. The following displays sample output from the show crypto isakmp policy command:
RouterA#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES Advanced Encryption Standard (128 bit keys)
hash algorithm: Secure Hash Standard
authentication method: PreShared Key
DiffieHellman group: #14 (2048 bit)
lifetime: 3600 seconds, no volume limit
You can also issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 will appear when there is a phase 1 policy mismatch between the peers. To configure IKE phase 1 policy parameters, issue the crypto isakmp policy priority command to enter ISAKMP policy configuration mode, where you can issue the following commands:
– authentication
– encryption
– group
– hash
– lifetime
If the IKE phase 1 policies match, you should issue the debug crypto isakmp command to verify that the SA authenticates. If there is a preshared key (PSK) mismatch between the peers, you will see the 1d00h:% CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed debug error message. If a PSK is missing on one of the peers, you will see the 1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at 10.11.12.13 is missing debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] | hostname name} [noxauth] command.
If you can ping the remote tunnel endpoint, there is no need to issue the traceroutecommand to trace the route to the tunnel endpoint. A successful ping indicates that connectivity between the peers exists. If the ping is not successful, you can issue the traceroute command to see where the fault is occurring along the path between the two peers.
Rebooting peer routers should not be among the first actions you perform when troubleshooting IP Security (IPSec) virtual private network (VPN) connectivity between two sites. If you have performed the other troubleshooting steps but are still unable to establish a VPN connection, you might consider rebooting the routers. However, rebooting is not likely to solve the connectivity problems.
[TABS_R id=8782]