Checking the tunnel setup

From a client workstation located on each remote site, enter the URL of your intranet site in a web browser. For example: http://intranet_site_name.

If you have allowed ICMP in the filter rules, you can also ping from the workstation to the intranet server.

Checking in Stormshield Network Realtime Monitor

  1. Launch Stormshield Network Real-Time Monitor.
  2. Log on to the Firewall of the main site through the program.
  3. Click on the module Logs > VPN.
  4. Check that phases 1 and 2 took place correctly (message “Phase established”):

In the VPN Tunnels module, you can also view the tunnel as well as the amount of data exchanged:

If this is not the case, look up the section Incident resolution - Common errors below.

Incident resolution - Common errors

Further on in this section, the Firewall of the remote site is called the “initiator”, as it initiates the setup of the tunnel for the chosen example. As for the Firewall of the main site, it is called the “responder”.

Symptom: The tunnel between the appliances has been set up but no traffic seems to go through it.

Solution: Check your filter rules. Also check the routing between the hosts (client workstation, intranet server) and their respective gateways (static routing or default gateway).

 

Symptom: The tunnel cannot be set up.

  • No message appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall.
  • No message appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: Check the routing between the hosts (client workstation, intranet server) and their respective gateways (static routing or default gateway). Check your filter rules on the “initiator”. Also ensure that the “initiator”’s tunnel is not in “responder only” mode (Peers tab in the menu Configuration > VPN > IPsec VPN).

 

Symptom: The tunnel cannot be set up.

  • A message “Negotiation failed due to timeout” in phase 1 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall

  • No message appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: The remote IPsec gateway (“responder”) is not responding to requests. Check that the IPsec VPN policy has been enabled on the “responder” Firewall. Check that the objects corresponding to tunnel endpoints have been entered with the right IP addresses.

 

Symptom: The tunnel cannot be set up.

  • The messages “Negotiation failed” and “Certificate with serial XXX from issuer YYY: unable to get local issuer certificate” in phase 1 appear in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall

Solution: the “responder” Firewall cannot verify the validity of the “initiator” Firewall’s certificate. Ensure that you have indeed defined the CA as the trusted CA on the “responder” (Identification tab in the menu Configuration > VPN > IPsec VPN).

 

Symptom: The tunnel cannot be set up.

  • The messages “Negotiation failed” and “Certificate with serial XXX from issuer YYY: unable to get local issuer certificate” in phase 1 appear in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall

Solution: the “initiator” Firewall cannot verify the validity of the “responder” Firewall’s certificate. Ensure that you have indeed defined the CA as the trusted CA on the “initiator” (Identification tab in the menu Configuration > VPN > IPsec VPN).