Troubleshoot IPsec/VPN/Firewall Connections (2024)

FAQs

How do I troubleshoot IPsec VPN connectivity issues? ›

The easiest test for an IPsec tunnel is a ping from one client station behind the firewall to another on the opposite side. If that works, the tunnel is up and working properly.

IPsec is a group of protocols for securing connections between devices. IPsec helps keep data sent over public networks secure. It is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.

To set up an IPSec session, the firewall needs to allow UDP protocol on specifically defined IANA port 500 for IKE (Internet Key exchange) and port 4500 for encrypted packets. ESP and AH are also protocols that are designated with IANA standardized numbers 50 and 51, respectively.

IPSec is a set of communication rules or protocols for setting up secure connections over a network. Internet Protocol (IP) is the common standard that determines how data travels over the internet. IPSec adds encryption and authentication to make the protocol more secure.

Site-to-Site VPN provides a site-to-site IPSec connection between your on-premises network and your virtual cloud network (VCN). The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

IKEv2/IPSec is lightweight and adequately secure. It's also agile, since it's one of the few protocols that can re-establish a VPN connection when you switch networks (e.g. from mobile data to Wi-Fi).

How do I check my IPsec tunnel log? ›

On the details page of the IPsec-VPN connection, find the tunnel that you want to view and click View Logs in the Actions column. You can view the logs of each tunnel of an IPsec-VPN connection in dual-tunnel mode.

Per CNSSP 15, as of June 2020, minimum recommended settings for ISAKMP/IKE are Diffie-Hellman group 16, AES-256 encryption, and SHA-384 hash, while those for IPsec are AES-256 encryption, SHA-384 hash, and CBC block cipher mode.

Internet Protocol Security, or IPsec, enters the picture here. IPsec adds an extra layer of security to firewalls, assisting in maintaining the privacy, availability, and integrity of data. Secure remote access is one of the key reasons IPsec is necessary for firewalls.

Update the VPN app: Ensure that your VPN application is updated to the latest version, as outdated apps may lead to connectivity problems. Try a different network: If you're on Wi-Fi, try switching to cellular data, or vice versa, to see if the issue is related to a specific network.

Various factors can cause VPN disconnection. These primarily include an unstable internet connection, outdated VPN software, slow internet connection or obstructions from other applications, such as firewalls or antivirus programs.

General Site-to-Site VPN Issues

Check these items: Basic configuration: The IPSec tunnel consists of both phase-1 and phase-2 parameters. Confirm that both are configured correctly. You can configure the CPE phase 1 and phase 2 parameters in the OCI end using custom configurations.

If your Always On Virtual Private Network (VPN) setup isn't connecting clients to your internal network, you may have encountered one of the following issues: The VPN certificate is invalid. The Network Policy Server (NPS) policies are incorrect. Issues with client deployment scripts or Routing and Remote Access.