Troubleshooting IPsec tunnels

The troubleshooting information describes some typical problems that you might encounter in configuring and establishing your IPsec tunnels, and the suggested actions for how to resolve the problems.

Problem	Suggested action
Your tunnel cannot be established	Use the appropriate show command for your device to display the tunnel status. If the tunnel is down, check the settings for your tunnel against the supported settings and best practices. Check that the following items have been correctly configured in your device’s connection profile: Tunnel destination address (Forcepoint FQDN or gateway IP address) Pre-shared key IKE protocol (IKEv2) IKE cipher IKE ID (FQDN or public IP address) IKE ID DH group IPsec encryption algorithm Check that the device’s IKE ID and pre-shared key match those configured in the Private Access management portal.
Your tunnel is up, but traffic is not flowing through the tunnel	Use the appropriate show command for your device to display the tunnel status. If the tunnel is up: Check that the IPsec access list is configured to allow traffic through the tunnel from the Forcepoint gateway addresses. Capture traffic on the edge device and check if the traffic is being routed through the tunnel.
Your device has previously connected, but cannot reestablish the tunnel	Check the settings for your tunnel against the supported settings. In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage. Clear the IPsec security associations on your device, and attempt to re-establish the tunnel. Tip: While testing, temporarily set the Lifetime value for your connection to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish. Once the tunnel is re-establishing correctly, revert the lifetime to the recommended value.

Problem

Suggested action

Your tunnel cannot be established

Use the appropriate show command for your device to display the tunnel status. If the tunnel is down, check the settings for your tunnel against the supported settings and best practices.

Check that the following items have been correctly configured in your device’s connection profile:

Tunnel destination address (Forcepoint FQDN or gateway IP address)
Pre-shared key
IKE protocol (IKEv2)
IKE cipher
IKE ID (FQDN or public IP address)
IKE ID DH group
IPsec encryption algorithm

Check that the device’s IKE ID and pre-shared key match those configured in the Private Access management portal.

Your tunnel is up, but traffic is not flowing through the tunnel

Use the appropriate show command for your device to display the tunnel status. If the tunnel is up:

Check that the IPsec access list is configured to allow traffic through the tunnel from the Forcepoint gateway addresses.
Capture traffic on the edge device and check if the traffic is being routed through the tunnel.

Your device has previously connected, but cannot reestablish the tunnel

Check the settings for your tunnel against the supported settings.

In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage.

Clear the IPsec security associations on your device, and attempt to re-establish the tunnel.

Tip: While testing, temporarily set the Lifetime value for your connection to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish. Once the tunnel is re-establishing correctly, revert the lifetime to the recommended value.