Novell Documentation: Novell Linux Desktop

Scenarios

IKE Phase 1 Deleted

You might encounter the message IKE Phase 1 Deleted in the following scenarios.

At the Beginning of a Connection

If you get the message at the beginning of a VPN connection, ignore it.

While the Connection Is in Process

If your connection status shows Connecting for a relatively longer duration, and then you encounter the status message, it means an error has occurred in the connection procedure.

Possible Cause: Connectivity issues with your machine.

Action: Rectify the connectivity issues and proceed.

Possible Cause: The gateway is down or VPN service is not running on the gateway.

Action: Ensure that the gateway is prepared for a VPN connection.

Possible Cause: Issues with the login credentials.

Action: In the case of a Standard IPsec gateway, ensure that the certificate password is valid. If you are connecting to a Nortel Contivity server, ensure that the group credentials are valid.

Failed to Connect to IKE

Possible Cause

The IKE is not running.

Action

Check the status of the IKE using the following command:

/etc/init.d/racoon status

NOTE: You have to log in as root to check the IKE status.

If the status is Dead or Unused, use the following command to start IKE:

/etc/init.d/racoon start

Non-Root User: Failed to Connect to IKE

If you are a non-root user and while attempting a VPN connection you receive the message Failed to connect to the Racoon Daemon, do the following:

Ensure that IKE is running.

For details, refer to IKE Status.
If IKE is not running, start it.

For details, refer to Failed to Connect to IKE.
If IKE is running, check the IKE log.

For details, refer to IKE Log.
If you see the message ERROR: File does not have correct permissions. Expected : 432 Has : 384 in the IKE log, verify that you have the required user privileges to use VPN Client.

For details, refer to Non-Root Access.

Fragmentation of TCP Packets

When connected to a Nortel server, encryption/decryption of IP fragmentation is not handled effectively. Therefore, applications sending IP fragments might not work.

But in the case of TCP applications, you might use the workaround of setting the route MTU (to the gateway server) to less than 1400 for Ethernet. The recommended MTU is 1350.

To do this, after a successful VPN connection, do the following:

At the command prompt, enter ip route.

The routing information to the VPN server is displayed in the following format:

VPNSERVERIPADDR via GATEWAYIPADDR dev NETWORKDEVICE
Delete the route using the following command:

route delete VPNSERVERIPADDR
Add the route with your mss value using the following command:

route add VPNSERVERIPADDR gw GATEWAYIPADDR NETWORKDEVICE mss 1350

HINT: For variable details, refer to the routing information (discussed in Step 1).

Profile Creation Failed

Causes

The system runs out of memory
Libxml2.so is missing

Actions

Ensure that you have a minimum 128 RAM of memory.
Libxml2.so is provided along with the NLD installation. If for some reason it is missing, install the library.

Firewall Issues

If you have an iptables firewall running on your machine with policies configured to deny outgoing and incoming packets, configure the following rules to allow the packets:

Table 1. Outgoing Packets

Port	Configuration Command
UDP-500	`iptables -A OUTPUT -p UDP -s 0/0 -d 0/0 --dport 500 -j ACCEPT`
UDP-4500	`iptables -A OUTPUT -p UDP -s 0/0 -d 0/0 --dport 4500 -j ACCEPT`

Table 2. Incoming Packets

Port	Configuration Command
UDP-500	`iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 500 -j ACCEPT`
UDP-4500	`iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 4500 -j ACCEPT`