Billion Electric Company CO1 User Manual

Chapter 5: Troubleshooting 

37

 

120348 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE]  
[ID] [ID] 
120349 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE]  
[ID] [ID] 
120351 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE]  
[ID] [ID] 
120351 Default (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [NONCE]  
[ID] [ID]  
 

Check algorithms and phase 2 identities (“Local address” and “Network address”). Some 
settings must mismatch between the VPN and the VPN gateway. 
 

 
Read logs of each VPN tunnel endpoint. IKE requests can be dropped by firewalls. An IPSec 
Client uses UDP port 500 and protocol ESP (protocol 50). 
 

 
If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines:  
1.  Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client 

IP address should not belong to the remote LAN subnet. 

2.  Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by 

firewall. Check that every device between the client and the VPN server does accept ESP. 

3.  Check your VPN server logs. Packets can be dropped by one of its firewall rules. 
4.  Check your ISP support ESP. 
5. If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN 

computer interface (with Ethereal for example). You will have an indication that encryption 
works. 

6.  Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can 

receive pings but does not answer because there is a no “Default gateway” setting. 

7.  You cannot access to the computers in the LAN by their name. You must specify their IP 

address inside the LAN. 

 
We recommend you to install ethereal (http://www.ethereal.com) on one of your target computer. 
You can check that your pings arrive inside the LAN.