Checking the tunnel setup

From a client workstation located on the remote site, enter the URL of your intranet site in a web browser. For example: http://intranet_site_name.

If you have allowed ICMP in the filter rules, you can also ping from the workstation to the intranet server.

Checking in Stormshield Network Real-Time Monitor

Launch Stormshield Network Real-Time Monitor, log on to the Firewall of the main site through the program and click on the module Logs > VPN. Check that phases 1 and 2 took place correctly (message “Phase established”):

In the module VPN Tunnels, you can also view the tunnel as well as the amount of data exchanged:

If this is not the case, look up the section Incident resolution - Common errors.

Incident resolution - Common errors

Further on in this section, the Firewall of the remote site is called the “initiator”, as it initiates the setup of the tunnel for the chosen example. As for the Firewall of the main site, it is called the “responder”.

Symptom: The tunnel between the appliances has been set up but no traffic seems to go through it.

Solution: Check your filter rules on the “responder”. Also check the routing between the hosts (client workstation, intranet server) and their respective gateways (static routing or default gateway).

 

Symptom: The tunnel cannot be set up.

  • No message appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall.
  • No message appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: Check the routing between the hosts (client workstation, intranet server) and their respective gateways (static routing or default gateway). Check your filter rules on the “initiator”. Also ensure that the “initiator”’s tunnel is not in “responder only” mode (Peers tab in the menu Configuration > VPN > IPsec VPN).

 

Symptom: The tunnel cannot be set up.

  • A message “Negotiation failed due to timeout” in phase 1 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall.
  • No message appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: The remote IPsec gateway (“responder”) is not responding to requests. Check that the IPsec VPN policy has been enabled on the “responder” Firewall. Check that the objects corresponding to tunnel endpoints have been entered with the right IP addresses (generally public IP addresses).

 

Symptom: The tunnel cannot be set up.

  • A message “Negotiation failed due to timeout” in phase 1 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall.
  • A message “Negotiation failed” in phase 1 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: The appliances are attempting to negotiate but cannot seem to agree on an authentication policy. Check that the pre-shared key is the same on both Firewalls.

 

Symptom: The tunnel cannot be set up.

  • A message “Negotiation failed due to timeout” in phase 1 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “initiator” Firewall.
  • A message “Could not get a valid proposal” in phase 1 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: The appliances are attempting to negotiate but cannot seem to agree on an encryption policy in phase 1 (IKE). Check that the encryption profile is the same on both Firewalls (Diffie-Hellman group, maximum lifetime, etc.).

 

Symptom: The tunnel cannot be set up.

  • A message “Could not get a valid proposal” in phase 2 appears in the module Logs > VPN in Stormshield Network Real-Time Monitor on the “responder” Firewall.

Solution: The appliances are attempting to negotiate but cannot seem to agree on an encryption policy in phase 2 (IPsec). Check that the encryption profile is the same on both Firewalls (authentication and encryption proposals, etc.).