Remote Worker VPN Troubleshooting from the Cloud

In an earlier blog, Confessions of a Reluctant Teleworker, I discussed the enterprise-grade teleworker solution I have been using at my house in Atlanta, GA, even before being grounded by COVID-19. Of course, all my teleworker networking hardware is managed via ExtremeCloud™ IQ. From the cloud, a network administrator can easily configure, provision, and monitor equipment for thousands of remote workers.

Another great advantage of the cloud is how is easy a network admin can troubleshoot the virtual private network (VPN) connection of remote networking devices no matter where they are deployed. As shown in Figure 1, ExtremeCloud™ IQ provides four remote diagnostic tools to troubleshoot and validate IPsec VPNs. These tools can troubleshoot equipment at corporate headquarters (the headend) and edge devices at remote sites. Additionally, these diagnostic utilities are availble to troubleshoot either layer 2 or layer 3 IPsec VPNs.

_{Figure 1}

For example, as shown in Figure 2, the Show IPsec Tunnel utility is used to confirm that the VPN tunnel is up and running. The source and destination endpoint IP addresses, as well as tunnel duration, are all validated.

_{Figure 2}

The creation of an IPsec tunnel involves two phases, called Internet Key Exchange (IKE) phases:

• IKE Phase 1 - The two VPN endpoints authenticate one another and negotiate keying material. The result is an encrypted tunnel used by Phase 2 for negotiating the Encapsulating Security Payload (ESP) security associations.
• IKE Phase 2 - The two VPN endpoints use the secure tunnel created in the first phase to negotiate ESP security associations (SAs). The ESP SAs are used to encrypt user traffic that traverses between the endpoints.

Some of the common problems that can occur if IKE Phase 1 fails to complete include:

• Certificate problems
• Incorrect networking settings
• Incorrect NAT settings on an external firewall

Figure 3 displays the results of the Show IKE Event diagnostic tool. IPsec uses digital certificates during Phase 1. If IKE Phase 1 fails due to a certificate problem, ensure that you have the correct certificates installed properly on the VPN endpoints. Also, remember that certificates are time-based. Very often, a certificate problem during IKE Phase 1 is simply an incorrect clock setting on either VPN endpoint.

_{Figure 3}

The Show IKE Event diagnostic utility can also indicate a possible networking error due to incorrect configuration. IPsec uses private IP addresses for tunnel communications and also uses external IP addresses, which are usually the public IP address of a firewall. If an IKE Phase 1 failure occurs, as shown in Figure 4, check the internal and external IP settings on the VPN devices. If an external firewall is in operation, an admin should also check the Network Address Translation (NAT) settings. Another common networking problem that causes VPNs to fail is that needed firewall ports are blocked. Ensure that the following ports are open on any firewall that the VPN tunnel may traverse:

• UDP 500 (IPsec)
• UDP 4500 (NAT transversal)

_{Figure 4}

If you can confirm that IKE Phase 1 completes successfully, yet the VPN is still failing, then IKE Phase 2 is the likely culprit. Some of the common problems if IKE Phase 2 include:

• Mismatched transform sets between the client and server (encryption algorithm, hash algorithm, etc.)
• Mixing different vendor solutions

Figure 5 displays the successful results of the Show IPsec SA utility used to troubleshoot IKE Phase 2. If this tool ever indicates a failure, be sure to check both encryption and hash settings on the VPN endpoints. An admin should also check other IPsec settings such as tunnel mode. You need to verify that all settings match on both ends. Because an admin uses the same network policy configuration settings for both endpoints, this rarely happens with an ExtremeCloud™ IQ VPN solution. However, an updated configuration policy might have been pushed to a remote device and not the VPN server. IKE Phase 2 problems are more likely to occur when different VPN vendors are used on opposite sides of the intended VPN tunnel.

_{Figure 5}

Please follow this URL to learn more about all the remote networking solutions that Extreme Networks has to offer: https://www.extremenetworks.com/remote/

Do you want to learn more about how easy you can troubleshoot VPNs from the cloud? Please take a moment to watch this video as Erika Bagby takes you through a short tour of the VPN diagnostic tools in ExtremeCloud™ IQ:

[wistia src="https://extremenetworks.wistia.com/medias/sv5qaz9n12"]