beautypg.com

ZyXEL Communications Internet Security Gateway ZyWALL 100 User Manual

Page 308

background image

ZyWALL 100 Internet Security Gateway

IPSec Log

30-3

Table 30-1 Sample IKE Key Exchange Logs

LOG MESSAGE

DESCRIPTION

Send:

Recv:

IKE uses the ISAKMP protocol (refer to RFC2408 –
ISAKMP) to transmit data. Each ISAKMP packet
contains payloads of different types that show in the
log - see Table 30-3.

Phase 1 IKE SA process done

Phase 1 negotiation is finished.

Start Phase 2: Quick Mode

Phase 2 negotiation is beginning using Quick Mode.

!! IKE Negotiation is in process

The ZyWALL has begun negotiation with the peer for
the connection already, but the IKE key exchange has
not finished yet.

!! Duplicate requests with the same
cookie

The ZyWALL has received multiple requests from the
same peer but it is still processing the first IKE packet
from that peer.

!! No proposal chosen

The parameters configured for Phase 1 or Phase 2
negotiations don’t match. Please check all protocols
and settings for these phases. For example, one party
may be using 3DES encryption, but the other party is
using DES encryption, so the connection will fail.

!! Verifying Local ID failed

!! Verifying Remote ID failed

During IKE Phase 2 negotiation, both parties
exchange policy details, including local and remote IP
address ranges. If these ranges differ, then the
connection fails.

!! Local / remote IPs of incoming
request conflict with rule <#d>

If the security gateway is “0.0.0.0”, the ZyWALL will
use the peer’s “Local Addr” as its “Remote Addr”. If
this IP (range) conflicts with a previously configured
rule then the connection is not allowed.

!! Invalid IP /

The peer’s “Local IP Addr” range is invalid.

!! Remote IP /
conflicts

If the security gateway is “0.0.0.0”, the ZyWALL will
use the peer’s “Local Addr” as its “Remote Addr”. If a
peer’s “Local Addr” range conflicts with other
connections, then the ZyWALL will not accept VPN
connection requests from this peer.

!! Active connection allowed
exceeded

The ZyWALL limits the number of simultaneous Phase
2 SA negotiations. The IKE key exchange process fails
if this limit is exceeded.

See also other documents in the category ZyXEL Communications Hardware: