Amer Networks E5Web GUI User Manual

In this scenario, it can be seen that the defined remote network on Side B is larger than that
defined for Side A's local network. This means that Side A can only initiate the tunnel
successfully towards Site B as its network is smaller.

When Side B tries to initiate the tunnel, Side A will reject it because the network is bigger than
what is defined. The reason it works the other way around is because a smaller network is
considered more secure and will be accepted. This principle also applies to the lifetimes in the
proposal lists.

2. Unable to set up with config mode and getting a spurious XAuth message

The reason for this message is basically "No proposal chosen". The case where this will appear is
when there is something that fails in terms of network size on either local network or remote
network. Since cOS Core has determined that it is a type of network size problem, it will try one
last attempt to get the correct network by sending a config mode request.

By using ikesnoop when both sides initiate the tunnel, it should be simple to compare the
network that both sides are sending in phase-2. With that information it should be possible to
spot the network problem. It can be the case that it is a network size mismatch or that it does not
match at all.

Chapter 9: VPN

655