FortiGate - Command Lines for debug IPSEC tunnels

Author Johnny Josefsson on April 19, 2013 | Print | Bookmark

STATUS
diag debug status


ENABLE
diagnose debug enable


DISABLE
diagnose debug disable


DEBUG TO CONSOLE
diagnose debug console


DEBUG IPSEC PHASE 1 AND 2

diag vpn ike log-filter dst-addr4 
diag debug enable
diag debug console
diag debug app ike 255

diag debug disable
diag vpn ike log-filter clear
diag debug reset


[diag vpn ike log-filter *]
clear     erase the current filter
dst-addr4 the IPv4 destination address range to filter by
dst-addr6 the IPv6 destination address range to filter by
dst-port  the destination port range to filter by
interface interface that IKE connection is negotiated over
list      display the current filter
name      the phase1 name to filter by
negate    negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port  the source port range to filter by
vd        index of virtual domain. -1 matches all


TIP
to initiate traffic from another source so the tunnel triggers up use similar
command like this, preferably in another window:
              execute ping-options source 172.16.100.100


CROSS-VENDOR TESTS
http://www.admin-magazine.com/Articles/Cross-Vendor-IPsec


Table 62: Important terms to look for in VPN debug output
initiator   Starts the VPN attempt, in the above procedure that is the remote end
responder   Answers the initiator’s request
local ID    In aggressive mode, this is not encrypted

error no SA proposal chosen
There was no proposal match — there was no encryption-authentication pair in common, usually occurs after a long list of proposal attempts

R U THERE and
R U THERE ack
dead peer detection (dpd), also known as dead gateway detection — after three failed attempts to contact the remote end it will be declared dead, no farther attempts will be made to contact it
negotiation result
lists the proposal settings that were agreed on

SA_life_soft and SA_life_hard   negotiating a new key, and the key life

R U THERE   If you see this, it means Phase 1 was successful

tunnel up   the negotiation was successful, the VPN tunnel is operational

Was this article helpful?

Yes No

Category: Fortinet, Fortigate

Last updated on April 21, 2013 with 9746 views