Description
This article explains what to do when end point units cannot suddenly connect to their IPsec dial up VPN.
Solution
Here an example of an IPsec dial up configuration:
# config vpn ipsec phase1-interface
edit "test"
set type dynamic
set mode aggressive
set mode-cfg enable
set ipv4-start-ip 172.16.1.1
set ipv4-end-ip 172.16.1.254
set ipv4-netmask 255.255.255.0
Configure the Phase 1 as dynamic and implement the mode-cfg.
Mode-cfg is responsible for dynamically assign attributes to the end point which will successfully connect to the VPN.
One of the attributes is the assignment of IP addresses.
The above supplied configuration can assign up to 254 IP addresses to the end point.
Many times due to business expansion or acquisitions the remote end users are increasing and quite often clients complain that cannot connect to the VPN services any more.
In order to troubleshoot the issue, enable ike debugs is needed.
Here an example of debug:
# diagnose vpn ike log-filter dst-addr4 80.80.80.80
# diagnose debug application ike -1
Debug messages will be on for 27 minutes.
# diagnose debug console timestamp enable
# diagnose debug enable
80.80.80.80 is the end point’s public IP address which initiates the VPN connection.
During debugs, we are facing an error like:
ike: could not allocate IPv4 address
In order to overcome this issue, a bigger subnet needs to be reserved by the firewall administrator.
In order to disable mode-cfg, execute the below commands.
config vpn vpn ipsec phase1-interface
edit "test"
set mode-cfg disable
end
or you can execute the below commands
config vpn vpn ipsec phase1-interface
edit "test"
unset mode-cfg
end
