7IPsec VPN143Turning off certificate validationOne of the ways to troubleshoot problems with CA server access is to turn off therequirement to validate certificates. By default, checking is always enabled.Attempts to access CA servers by the SEG can be disabled by setting the CRL option for acertificate object to No (the default is Yes). For example:Device:/> set Certificate my_cert CRL=NoThis means that checking against the CA server's revocation list (CRL) will be turned off andaccess to the server will not be attempted.When switching off CRL checking, it may not be necessary to apply the CRL=No option to allcertificates. This option follows the chain of certificate dependency. If it is applied to the rootcertificate of the chain, it is automatically applied to all dependent certificates.IPsec troubleshootingThis section deals with how to troubleshoot the common problems that are found with VPN.General troubleshootingIn all types of VPNs some basic troubleshooting checks can be made:• Check that all IP addresses have been specified correctly.• Check that all pre‐shared keys and usernames/passwords are correctly entered.• Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is bestdone by “Pinging” the internal IP address of the local network interface on the SEG from aclient (in LAN to LAN setups pinging could be done in any direction). If the SEG is torespond to a Ping then the following rule must exist in the IP rule set:• Ensure that another IPsec Tunnel definition is not preventing the correct definition beingreached. The tunnel list is scanned from top to bottom by the SEG and a tunnel in a higherposition with the Remote Network set to all‐nets and the Remote Endpoint set to nonecould prevent the correct tunnel being reached. A symptom of this is often an IncorrectPre‐shared Key message.Action Src Interface Src Network Dest Interface Dest Network ServiceAllow vpn_tunnel all-nets core all-nets ICMP