A wide variety of errors and problems can occur when VPN testing or setting up a VPN connection. The admin is mainly dealing with three problem areas:
VPN tunnel is not established:
Tunnel is established, user data are not transmitted (no ping)
Tunnel is unstable and breaks off:
The following points should make it easier for the admin to find structured troubleshooting for VPN problems.
Name resolution / DynDNS:
VPN routers are often operated on DSL connections with dynamic IP addresses. The connection is then established via a host name of dynamic DSN services such as DynDNS. Check whether DNS resolves the correct IP address. To do this, ping the VPN router on the client side. Check the WAN-IP of the VPN router.
Some routers’ DynDNS clients do not work reliably. This can be remedied by updating the firmware or a DynDNS client on a PC in the router’s LAN.
IP connectivity:
Use ping and trace route to check the IP connection between the client and VPN router in both directions. You may have to activate ping responses on the WAN interface on the VPN router. This is RFC compliant and extremely helpful in troubleshooting.
What about routing? Are the net masks correct? Are the IP addresses unique? With a LAN connection via VPN, the addresses must be coordinated across the board. If both routers use the 192.168.1.1, it will not work.
VPN pass-through:
Many simple SOHO routers have problems with the routing of VPN sessions. VPN pass-through or IPsec pass-through should be mentioned in the data sheet. IPsec works with the protocol number 50 for ESP (not port number) and uses UDP port 500 for IKE or ISAKMP. Sometimes these options have to be activated in the router.
Log files:
The first point of contact for troubleshooting should be the logs of the VPN router and VPN client. Then there is chance for proper VPN testing. Here you should see the establishment of a connection. Typing errors in the PSK or incorrect proposals can be found quickly.
Network analysis:
Is encrypted, why sniffer? With an active IPsec tunnel, there really isn’t much to see above ESP. However, the use of Wireshark or the Microsoft Network Monitor is very useful for troubleshooting when establishing a connection. If the log of the router remains empty, a quick look at the network traffic helps. Do data ever arrive? Are IP addresses and port numbers correct? Where does the answer go?
Dead Peer Detection (DPD):
Dead Peer Detection (DPD) checks whether the other VPN endpoint can still be reached. For this purpose, DPD sends ISAKMP keep-alive on UPD port 500 (message values: RU-THERE – 36136 / RU-THERE-ACK – 36137). If DPD is only activated on one side of the VPN tunnel, the connection is terminated after the DPD timer has expired.