TMS zl Management and Configuration Guide ST.1.2.100916
10-67
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
7. Check IKE settings on the TMS zl Module against settings on the remote
clients.
To establish an IKE SA, the TMS zl Module and the remote clients must
agree on a number of settings. Table 10-8 displays those settings and how
they should match up between the module and the remote device. Most
settings must match exactly. For other settings, you match the module’s
local setting to the remote device’s remote setting and vice versa, as
indicated in the table.
Table 10-8. Match IKE Settings on the Module and VPN Clients
Common errors include:
• The local or remote ID has been miskeyed, or the remote device uses
a different ID type.
Note To eliminate problems with the remote ID, you can try specifying the IP
address of the test client instead of wildcards or email addresses, domain
names, or distinguished names. If this change fixes the problem, you will know
that you must examine the remote ID in more detail.
• The preshared key (if used) is miskeyed.
• The security settings (encryption algorithm, authentication algo-
rithm, Diffie-Hellman group, and SA lifetime) do not match exactly.
Setting TMS zl Module Setting Remote VPN Clients
Local gateway address Reachable module address Any
Remote gateway address Not applicable Module address
Local ID type and value Module ID type and value Remote client ID type and value
Remote ID type and value Remote client ID type and value Module ID type and value
Key exchange mode Same mode Same mode
Authentication mode Same method Same method
Preshared key Same key Same key
Encryption algorithm Same encryption algorithm Same encryption algorithm
Authentication algorithm Same authentication algorithm Same authentication algorithm
Diffie-Hellman Group Same group Same group
SA lifetime Same SA lifetime Same SA lifetime