VPN Troubleshooting Guide

VPN Troubleshooting Guide

Thing to Know
1. IPSec and L2TP connection cannot be created with the same name as they are treated as same the connection
2. IP address range in L2TP configuration and PPTP configuration cannot be same
3. L2TP connection will be live till the Key life specified in the Connection. On key expiry, Server will disconnect the
Connection immediately but Client will take few minutes to get disconnected
4. Preshared key Authentication type is not supported for L2TP connection in Windows 2000
5. Cyberoam VPN IPSec Client requires:

Service pack(sp) 4 for Windows 2000

Service pack(sp) 2 for Windows XP

6. If two Connections are created with different Authentication types i.e. Preshared key and Certificate then only
one connection can be Active at a time.
7. All the connection will become Active on VPN server startup if Active is specified for Action on restart. Only
one connection can be active at a time so deactivate all the connections as you might receive Unable to activate
the connection error at the time of activating other connections.
8. Certificate Authority and Certificates are generated in tar.gz form. Unzip/extract using WINRaR before use.
9. Mail only that Certificate to the Remote peer whose Certificate ID is same as the one specified as Remote ID in
the Connection.

Question
I am not able to establish the connection using Preshared key for authentication, what could be the problem?
Answer
You will not be able to establish the connection if you have used space as the last character in the preshared key.
Change the preshared key and try to establish the again.
Question
Why I am receiving <<Connection already exists>> error while trying to create L2TP connection?
Answer
If you are not able to create L2TP connection due to above error, it means either IPSec or L2TP connection is
already created with the same name. You will not be able to create L2TP and IPSec connections with the same
name. Change the connection name and try again.
Question
Why I am receiving <<Connection already exists>> error while trying to create IPSec connection?
Answer
If you are not able to create IPSec connection due to above error, it means either IPSec or L2TP connection is
already created with the same name. You will not be able to create L2TP and IPSec connections with the same
name. Change the connection name and try again.
Question
What does the error << security layer encountered a problem >> mean?
Answer
If you are not able to establish connection due to above error, it means, both Cyberoam VPN client and L2TP client

VPN Troubleshooting Guide

are installed on the same machine. You will not be able to establish the connection, if both clients are installed on
the same machine. Uninstall any one of the Client and try again.
Question
What does the number appended at the end of the Connection name indicate?
Answer
The number appended at the end of the Connection name indicates total number of Private Networks specified in
the Connection at the local and remote VPN servers and total number of connections that can be established.
For example,
If for the connection rw_psk, 2 local private networks and 3 remote private networks are specified then 6 (2*3) will
be appended to the connection name and will be displayed as rw_psk-6 in the VPN Log.
Total 6 connections can be established and Log entry will be as "rw_psk_1-1", "rw_psk_1-2", "rw_psk_1-3",
"rw_psk_1-4", "rw_psk_1-5", "rw_psk_1-6"
Question
What does ISAKMP SA established message in the VPN Log mean?
Answer
ISAKMP SA established means phase 1 connection is successfully established. Log will also display the
parameters defined for the phase 1.
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: I did not send a certificate because I do
not have one.
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: transition from state STATE_MAIN_R2
to state STATE_MAIN_R3
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA
established
{auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192
prf=oakley_md5
group=modp1024}
# auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024
# auth - authntication type
# cipher - encryption algorithm used for phase 1
# prf - authentication algorithm
# group - DH Group
1 = MODP768
2 = MODP1024
5 = MODP1536
14 = MODP2048
15 = MODP3072
16 = MODP4096

Question
I am receiving inbound IPsec SA installed, expecting QI2 message in the log, what does it mean?
Answer
inbound IPsec SA installed, expecting QI2 means phase 1 connection is successfully established and one way
tunnel i.e. incoming data tunnel is established.

VPN Troubleshooting Guide

Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1
Apr 28 11:54:44 1146205484 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2
Question
I am receiving IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=enabled} message in the log, what does it mean?
Answer
IPsec SA established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
means tunnel is successfully established
Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: Dead Peer Detection (RFC 3706):
enabled
Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2
Apr 28 11:54:45 1146205485 pluto[18126]: "rw_psk_1-1"[1] 188.7.7.1 #2: STATE_QUICK_R2: IPsec SA
established {ESP=>0x1cb63bdc <0x859e904a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
# xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled
# xfrm - encryption algo-authenticationalgo
# NATD - NATraversal is detected or not
# DPD - Dead Peer Detection is enabled or not
Question
Why I am not able to access any application even thought the tunnel is established?
Answer
This might happen if there is mismatch in the Connection Mode configured at the local and remote end.
Tunnel will be established even if Connection Mode is configured as Tunnel mode at the local end and as
Transport mode at the remote end but remote user will not be able to access any application.
Specify same Connection Mode at both the ends and try again.
Question
From where do I know how many users are using PPTP connection to establish VPN tunnel?
Answer
You can get the list of users using PPTP connection to establish VPN tunnel from VPN Report. You can view
report from Report > VPN > PPTP Connection Log
Question
From where do I view the PPTP logs?
Answer
You can view PPTP logs from Telnet Console. You can view date wise logs from option 8 VPN Management >
option 6 PPTP VPN Logs

VPN Troubleshooting Guide

Question
From where do I view the PPTP logs related to plugins?
Answer
To view the PPTP logs related to plugins, go to Telnet Console option 8 VPN Management > option 6 PPTP VPN
Logs and view the debug level logs.
Question
How do I know which users are using PPTP connection?
Answer
PPTP Connection Log will give the details of all the users using PPTP connection. Log on to Cyberoam Reports
and go to VPN > PPTP Connection Log to view the date wise connection details for all the users.
Question
From where do I get PPTP connection details?
Answer
PPTP Connection Log will give the details of all the PPTP connection. Log on to Cyberoam Reports and go to VPN
> PPTP Connection Log to view the date wise connection details for all the users.
Question
How do I configure Windows 2000 client for PPTP connection?
Answer
Refer to How To - Configure Windows 2000 client for PPTP connection

VPN Troubleshooting Guide

VPN LOG - Error Messages

Error Messages
<< mismatch of preshared secrets >>

Sample Log
Apr 29 10:29:27 1146286767 pluto[1628]:
"test_multiple_psk-1"[1] 188.7.7.131 #1: next
payload type of ISAKMP Identification Payload
has an unknown value: 215
Apr 29 10:29:27 1146286767 pluto[1628]:
"test_multiple_psk-1"[1]
188.7.7.131
#1:
probable authentication failure (mismatch of
preshared secrets?): malformed payload in
packet

<<
policy
does
not
allow
OAKLEY_RSA_SIG authentication. >>

Apr 29 10:29:27 1146286767 pluto[1628]:

"test_multiple_psk-1"[1]
188.7.7.131
#1:
sending notification PAYLOAD_MALFORMED
to 188.7.7.131:500
May 01 10:17:34 1146458854 pluto[7489]:
"rw_psk_1-1"[1] 188.7.7.7 #1: policy does not
allow OAKLEY_RSA_SIG
authentication.
Attribute
OAKLEY_AUTHENTICATION_METHOD
May 01 10:17:34 1146458854 pluto[7489]:
"rw_psk_1-1"[1] 188.7.7.7 #1: no acceptable
Oakley Transform

<<policy
does
not
OAKLEY_PRESHARED_KEY
authentication. >>

allow

May 01 10:17:34 1146458854 pluto[7489]:

"rw_psk_1-1"[1]
188.7.7.7
#1:
sending
notification NO_PROPOSAL_CHOSEN to
188.7.7.7:500
May 01 10:29:50 1146459590 pluto[7489]:
"rw_cert_1-1"[1] 188.7.7.7 #2: policy does not
allow
OAKLEY_PRESHARED_KEY
authentication.
Attribute
OAKLEY_AUTHENTICATION_METHOD
May 01 10:29:50 1146459590 pluto[7489]:
"rw_cert_1-1"[1] 188.7.7.7 #2: no acceptable
Oakley Transform

<< no GROUP_DESCRIPTION>>

May 01 10:29:50 1146459590 pluto[7489]:

"rw_cert_1-1"[1] 188.7.7.7
#2: sending
notification NO_PROPOSAL_CHOSEN to
188.7.7.7:500
Apr 29 12:48:31 1146295111 pluto[1628]:
"rw_cert_1-1"[2] 188.7.7.7 #32: we require
PFS but Quick I1 SA specifies no
GROUP_DESCRIPTION
Apr 29 12:48:31 1146295111 pluto[1628]:
"rw_cert_1-1"[2] 188.7.7.7 #32: sending
encrypted
notification
NO_PROPOSAL_CHOSEN to 188.7.7.7:500

<< policy does not allow Extended

Authentication (XAUTH) with RSA of
initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METH
OD >>

Apr 29 12:48:31 1146295111 pluto[1628]: |

processing
connection
rw_cert_1-1[2]
188.7.7.7
Apr 29 11:17:12 1146289632 pluto[1628]:
"rw_cert_1-1"[1] 188.7.7.131 #10: policy does
not allow Extended Authentication (XAUTH)
with RSA of initiator (we are responder).
Attribute

Recommendation
If you are not able to establish connection due
to this error, it means you are using different
preshared keys for multiple connections using
same IP address for the remote end. You will
be able to establish connection only if same
preshared key is used for all the connections.
Change the preshared key and try again.

If you are not able to establish connection due

to this error, it means at the local end,
preshared key authentication method is
defined while at remote end digital certificate
authentication method is defined i.e. mismatch
in the authentication method. To establish the
connection
successfully,
authentication
method defined at both the ends must be
same.
Change the authentication method at either of
the ends and try again.

If you are not able to establish connection due

to this error, it means at the local end, digital
certificate authentication method is defined
while at the remote end preshared key
authentication method is defined i.e. mismatch
in the authentication method. To establish the
connection
successfully,
authentication
method defined at both the ends must be
same.
Change the authentication method at either of
the end and try again.

If you are not able to establish connection due

to this error, it means PFS specified in Phase 2
at local end does not match with the PFS
specified at the remote end. To establish the
connection successfully, same PFS is to be
specified at both the ends.
Change PFS at either of the ends and try to
establish the connection again.

If you are not able to establish connection due

to this error, it means user authentication is
disabled at the local end while it is enabled at
the remote end. To establish connection, you
need to either enable or disable authentication

VPN Troubleshooting Guide

<<
policy
mandates
Extended
Authentication (XAUTH) with RSA of
initiator (we are responder). Attribute
OAKLEY_AUTHENTICATION_METH
OD>>

<< probable authentication failure

(mismatch of preshared secrets?):
malformed payload in packet>>

OAKLEY_AUTHENTICATION_METHOD

at both the ends.

Apr 29 11:17:12 1146289632 pluto[1628]:

"rw_cert_1-1"[1]
188.7.7.131
#10:
no
acceptable Oakley Transform

Change the authentication method at either of

the ends and try to establish the connection
again.

Apr 29 11:17:12 1146289632 pluto[1628]:

"rw_cert_1-1"[1] 188.7.7.131 #10: sending
notification NO_PROPOSAL_CHOSEN to
188.7.7.131:500
Apr 29 13:02:03 1146295923 pluto[491
Apr 29 13:02:03 1146295923 pluto[4919]:
"rw_psk_1-1"[1] 188.7.7.7 #1: no acceptable
Oakley Transform
9]: "rw_psk_1-1"[1] 188.7.7.7 #1: policy
mandates Extended Authentication (XAUTH)
with RSA of initiator (we are responder).
Attribute
OAKLEY_AUTHENTICATION_METHOD
Apr 29 13:02:03 1146295923 pluto[4919]:
"rw_psk_1-1"[1]
188.7.7.7
#1:
sending
notification NO_PROPOSAL_CHOSEN to
188.7.7.7:500
Apr 29 10:29:27 1146286767 pluto[1628]:
"test_multiple_psk-1"[1] 188.7.7.131 #1: next
payload type of ISAKMP Identification Payload
has an unknown value: 215
Apr 29 10:29:27 1146286767 pluto[1628]:
"test_multiple_psk-1"[1]
188.7.7.131
#1:
probable authentication failure (mismatch of
preshared secrets?): malformed payload in
packet

<<
Oakley
Transform
[OAKLEY_3DES_CBC
(192),
OAKLEY_MD5,
OAKLEY_GROUP_MODP1024]
refused due to strict flag >>

Apr 29 10:29:27 1146286767 pluto[1628]:

"test_multiple_psk-1"[1]
188.7.7.131
#1:
sending notification PAYLOAD_MALFORMED
to 188.7.7.131:500
Apr 28 12:38:20 1146208100 pluto[18126]:
"rw_psk_1-1"[1] 188.7.7.1
#11: Oakley
Transform
[OAKLEY_3DES_CBC
(192),
OAKLEY_MD5,
OAKLEY_GROUP_MODP1024] refused due
to strict flag
Apr 28 12:38:20 1146208100 pluto[18126]:
"rw_psk_1-1"[1] 188.7.7.1 #11: no acceptable
Oakley Transform

<<
Signature
check
(on
@client1.elitecore.com) failed (wrong
key?); tried *AwEAAbc0R >>

<< certificate was revoked >>

Apr 28 12:38:20 1146208100 pluto[18126]:

"rw_psk_1-1"[1] 188.7.7.1 #11: sending
notification NO_PROPOSAL_CHOSEN to
188.7.7.1:500
Apr 29 11:19:48 1146289788 pluto[1628]:
"rw_cert_1-1"[2] 188.7.7.131 #14: Signature
check (on @client1.elitecore.com) failed
(wrong key?); tried *AwEAAbc0R
Apr 29 11:19:48 1146289788 pluto[1628]:
"rw_cert_1-1"[2] 188.7.7.131 #14: sending
encrypted
notification
INVALID_KEY_INFORMATION
to
188.7.7.131:500
Apr 29 11:49:54 1146291594 pluto[1628]:
"rw_cert_1-1"[6] 188.7.7.131 #21: certificate

If you are not able to establish connection due

to this error, it means user authentication is
enabled at the local end while it is disabled at
the remote end. To establish connection, you
need to either enable or disable authentication
at both the ends.
Change the authentication method at either of
the ends and try to establish the connection
again

If you are not able to establish connection due

to this error, it means preshared keys specified
local end does not match with the one
specified at the remote end. To establish the
connection successfully, same preshared key
is to be specified at both the ends.
Change the preshared keys and try to
establish the connection again.

If you are not able to establish connection due

to this error, it means Encryption Algorithm,
Authentication Algorithm and/or DH Group
(phase 1) specified at the local end does not
match with the one specified at the remote
end. To establish the connection successfully,
same configuration is required at both the
ends.
Update the configuration and try to establish
the connection again.

If you are not able to establish connection due

to this error, it means wrong remote certificate
is used for establishing connection.
Change the certificate and try to establish the
connection again.

If you are not able to establish connection due

to this error, it means you are using revoked

VPN Troubleshooting Guide

was revoked on Apr 29 06:15:34 UTC 2006

Apr 29 11:49:54 1146291594 pluto[1628]:
"rw_cert_1-1"[6] 188.7.7.131 #21: X.509
certificate rejected

certificate to establish connection. You will not

be able to establish connection using the
revoked certificate.
Replace certificate
connection again.

and

try

to

establish

Apr 29 11:49:54 1146291594 pluto[1628]:

"rw_cert_1-1"[6] 188.7.7.131 #21: no RSA
public key known for '@client1.elitecore.com'

<< cannot respond to IPsec SA

request because no connection is
known >>

Apr 29 11:49:54 1146291594 pluto[1628]:

"rw_cert_1-1"[6] 188.7.7.131 #21: sending
encrypted
notification
INVALID_KEY_INFORMATION
to
188.7.7.131:500
Apr 29 12:22:02 1146293522 pluto[1628]:
"rw_cert_1-1"[1] 188.7.7.7
#28: cannot
respond to IPsec SA request because no
connection is known for
192.168.0.0/20===187.7.7.43[@server.eliteco
re.com]...188.7.7.7[@client1.elitecore.com]
Apr 29 12:22:02 1146293522 pluto[1628]:
"rw_cert_1-1"[1] 188.7.7.7 #28: sending
encrypted
notification
INVALID_ID_INFORMATION to 188.7.7.7:500

<< peer is NATed >>

#
192.168.0.0/20===187.7.7.43[@server.eliteco
re.com]...188.7.7.7[@client1.elitecore.com] network definition
#
192.168.0.0/20===187.7.7.43[@server.eliteco
re.com]--187.7.7.254...%any[@client1.elitecore.com]
#
192.168.0.0/20===187.7.7.43[server@elitecor
e.com,XS+S=C]:17/80--187.7.7.254...%any[[email protected],XC
+S=C]:17/0
192.168.0.0/20===187.7.7.43[server@elitecor
e.com,XS+S=C]:17/85--187.7.7.254...%any[[email protected],XC
+S=C]:17/0
192.168.0.0/20 - internal network - specified
secure access
187.7.7.43 - server ip
[email protected] - Local ID
XS+S=C
specifies
user
authentication as server
17/80 - specifies protocol = udp and
port = 80
187.7.7.254 - gateway
%any - dynamic ip of remote
[email protected] - Remote ID
XC+S=C
specifies
user
authentication as client
17/0 - specifies protocol = udp and
port = any
May 01 17:10:44 1146483644 pluto[21903]:
"rw_psk_1-1"[6] 187.7.7.254 #12: NATTraversal: Result using draft-ietf-ipsec-nat-tike-02/03: peer is NATed

If you are not able to establish connection due

to this error, it means there is mismatch in the
network parameters and/or Quick mode
selectors specified at both the ends.
Check and make sure that the following
parameters specified at both the ends are
same:
Local Network details
Remote Network details
Quick Mode selectors
Make sure, if subnet is specified at the local
end then the same subnet and not the single
host or range of hosts is specified at the
remote end.
Make sure, if single host is specified at the
local end then same host is specified at the
remote end also.
Make the relevant changes and try to connect
again.

If you are not able to establish connection due

to this error, it means connection request from
remote end is being NATted between remote
end and Cyberoam i.e. the host making the
Connection request to the Cyberoam lies
behind the NAT router, but NAT Traversal is
not enabled from the Connection in the

VPN Troubleshooting Guide

Cyberoam.

<< INVALID_KEY_INFORMATION >>

May 02 18:58:56 1146576536 pluto[22425]: |

Notify
Message
Type:
INVALID_KEY_INFORMATION
May 02 18:58:56 1146576536 pluto[22425]:
"ntn_rsa_1-1" #51: ignoring informational
payload, type INVALID_KEY_INFORMATION
May 02 18:58:56 1146576536 pluto[22425]: |
info:
May 02 18:58:56 1146576536 pluto[22425]:
"ntn_rsa_1-1" #51: received and ignored
informational message
May 02 18:59:36 1146576576 pluto[22425]: |
processing connection ntn_rsa_1-1

<< issuer cacert not found >>

May 02 18:59:36 1146576576 pluto[22425]:

"ntn_rsa_1-1"
#51:
max
number
of
retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable
response to our first encrypted message
May 12 13:04:00 1147419240 pluto[5259]:
"old_254_cert-1"[1] 188.7.7.43 #1: issuer
cacert not found
May 12 13:04:00 1147419240 pluto[5259]:
"old_254_cert-1"[1] 188.7.7.43 #1: X.509
certificate rejected
May 12 13:04:00 1147419240 pluto[5259]:
"old_254_cert-1"[1] 188.7.7.43 #1: no RSA
public key known for 'C=IN, ST=Gujarat,
L=Ahmedabad, O=Elitecore Technologies
Ltd., OU=Elitecore Technologies Ltd.VPN,
CN=Elitecore
Technologies
Ltd.cert_for_intranet,
[email protected]'

Enable Allow NAT Traversal from Cyberoam

Connection and try to connect again.
If you are not able to establish connection due
to this error, it means local ID and remote ID
specified at the remote end do not match with
the IDs specified at the local end.
At the remote end:
Local ID should be same as the remote ID
specified at the local end
Remote ID should be same as the local ID
specified at the local end
Update the IDs in the Connection and try to
connect again.
If certificate based authentication is defined in
the Connection then Local and Remote IDs
must be same as specified while creating the
Certificate or as specified in Subject
Alternative Name.

If you are not able to establish connection due

to this error, it means Certificate Authority is
not uploaded at the local end. If Digital
Certificate is used for authentication, then
Certificate Authority (CA) who issued the
Certificate is required to be uploaded.
Upload CA and try to establish connection
again.
Note: If external CA is used for authentication
then upload all the files received from the CA.

May 12 13:04:00 1147419240 pluto[5259]:

"old_254_cert-1"[1] 188.7.7.43 #1: sending
encrypted
notification
INVALID_KEY_INFORMATION
to
188.7.7.43:500
<<Cannot respond to IPsec SA
request because no connection is
known>>

<< peer requested 604800 seconds

which exceeds our limit 86400
seconds.
Attribute

May 12 18:30:01 1147438801 pluto[6156]:

"ellitetest-1"[11] 220.236.29.176 #76: cannot
respond to IPsec SA request because no
connection
is
known
for
192.168.1.0/24===203.88.128.94...220.236.29
.176[172.16.0.100]===172.16.0.100/32
May 12 18:30:01 1147438801 pluto[6156]:
"ellitetest-1"[11] 220.236.29.176 #76: sending
encrypted
notification
INVALID_ID_INFORMATION
to
220.236.29.176:4500
May 13 00:09:39 1147459179 pluto[6156]: |
af+type: OAKLEY_LIFE_DURATION (variable
length)

If you are not able to establish connection due

to this error, it means Connection request from
Road Warrior is being NATted between Road
warrior and Cyberoam i.e. the host making the
Connection request to the Cyberoam lies
behind the NAT router, but NAT Traversal is
not enabled from Connection in the Cyberoam.
Enable Allow NAT Traversal from Cyberoam
Connection and try to connect again.

If you are not able to establish connection due

to this error, it means the key life specified in
the policy at the remote end exceeds the

VPN Troubleshooting Guide

OAKLEY_LIFE_DURATION
length)>>

(variable
May 13 00:09:39 1147459179 pluto[6156]: |
length/value: 4
May 13 00:09:39 1147459179 pluto[6156]: |
long duration: 604800
May 13 00:09:39 1147459179 pluto[6156]:
"Verso-2" #548: peer requested 604800
seconds which exceeds our limit 86400
seconds.
Attribute
OAKLEY_LIFE_DURATION (variable length)

86400 seconds limit. This situation will arise

only if the remote server is not Cyberoam.
Check the log for ISAKMP SA established
message. If you have received this message
means phase 1 connection is successfully
established. Change key life specified in phase
2 at the remote server and try to connect again
else change key life specified in phase 1 at the
remote server and try to connect again.

May 13 00:09:39 1147459179 pluto[6156]:

"Verso-2" #548: no acceptable Oakley
Transform

<<X.509 certificate is not valid until

<date> >>

May 13 00:09:39 1147459179 pluto[6156]:

"Verso-2"
#548:
sending
notification
NO_PROPOSAL_CHOSEN
to
12.45.97.98:500
checking validity of "C=IN, ST=Gujarat,
L=Ahmedabad, O=eLitecore, OU=Cyberoam,
CN=eLitec
oretest_man,
[email protected]":
X.509 certificate is not valid until Sep 30
04:59:55 UTC 2006 (it is now=Sep 29
06:58:10 UTC 2006)
Sep 29 12:28:10 1159513090 pluto[29265]:
"test-1" #30: X.509 certificate rejected

If you are not able to establish connection due

to this error, certificate used is not valid due to
the date mismatch. This situation will arise
only if there is mismatch in the remote
certificates validity date and the system date
of local server
th
st
e.g. certificate is valid from 25 October to 1
November, you are trying to establish
connection on 25th October from the local
server but the local servers system date is
26th October

Change the local servers system date from

Telnet Console and try to connect again.

Document Version: 9410-1.0-08/01/2007