TMS zl Management and Configuration Guide ST.1.1.100226
10-75
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Note Check all network objects used in IPsec policies and verify that they are
up-to-date and accurate.
4. Check the local gateway address in the IKE policy. Verify that this address
is the module IP address that the clients contact.
5. Check the IKE policy on the TMS zl Module and verify that it uses Main
for the key exchange mode.
6. Check all of your IKE policies and verify that a different policy than the
one that you expect does not match your policy.
Note that IKE policies remain active even when there are no active IPsec
policies associated with them.
7. Check IKE settings on the TMS zl Module against settings on the remote
clients.
To establish an IKE SA, the TMS zl Module and the remote clients must
agree on a number of settings. Table 10-12 displays those settings and
shows how they should match up between the module and the remote
device. Most settings must match exactly. For other settings, you must
match the module’s local setting to the remote device’s remote setting and
vice versa.
Table 10-12. Match IKE Settings on the Module and VPN Clients
For the Security Parameters Proposal settings, you have several options. By
default, a Windows XP client sends five IKE security proposals—four of
which are compatible with the TMS zl Module. See Table 10-13 for a list
of these proposals so that you can match one of these proposals in the
IKE policy. (Windows 2000 clients do not support proposal 1, and Win-
dows Vista clients only support proposal 1.)
Setting TMS zl Module Setting Remote VPN Clients
Local gateway address Reachable module address Any
Remote gateway address Not applicable Module address
Local ID type and value • IP address and the local
gateway address
• If you are using certificates,
the value in the certificate
Configured by default
Remote ID type and value • IP address and 0.0.0.0
• If you are using certificates,
the value in the certificate
Configured by default