Skip to main content
acvaldez
Staff
acvaldez
Staff
August 16, 2020

Troubleshooting Tip: IPsec tunnel (debugging IKE)

  • August 16, 2020
  • 0 replies
  • 217309 views

Description


This article describes how to troubleshoot IKE on an IPsec tunnel.

 

Scope

 

FortiGate.

Solution


Filter the IKE debugging log by using the following command:

 

diagnose vpn ike log filter name Tunnel_1

In versions before FortiOS v7.4.1, the command was 'diagnose vpn ike log-filter' .

 

Here are the other options for the IKE filter:

 

list             <------ Display the current filter.
clear           <----- Erase the current filter.
name             <----- Phase1 name to filter by.
src-addr4     <----- IPv4 source address range to filter by.
msrc-addr4    <----- Multiple IPv4 source addresses to filter by.
dst-addr4      <----- IPv4 destination address range to filter by.
mdst-addr4    <----- Multiple IPv4 destination addresses to filter by.
src-addr6      <----- IPv6 source address range to filter by.
msrc-addr6    <----- Multiple IPv6 source addresses to filter by.
dst-addr6     <----- IPv6 destination address range to filter by.
mdst-addr6    <----- Multiple IPv6 destination addresses to filter by.
src-port       <----- Source port range to filter by.
dst-port      <----- Destination port range to filter by.
vd                <----- Index of virtual domain. -1 matches all.
interface     <----- Interface that IKE connection is negotiated over.
negate          <----- Negate the specified filter parameter.

 

Example of IKE debug command:

 

diagnose vpn ike log-filter dst-addr4 x.x.x.x <---- To filter using remote-gateway address.

diagnose vpn ike log filter rem-addr4 x.x.x.x <---- Command to filter using remote-gateway address. (v7.4.1 and above).

diagnose debug app ike -1 <----- To do the VPN debug.

diagnose debug console timestamp enable <----- To cross-check with VPN events.
diagnose debug enable <------ To display the debug output.

diagnose debug disable <----- To stop the debug output.

 

Example output that shows that there is an issue with the VPN IKE negotiation:

 

ike 0: comes 192.168.175.153:500->192.168.175.152:500,ifindex=3....
ike 0: IKEv1 exchange=Identity Protection id=ceb2556bb6a76a83/69eea84d4ce9b6c8 len=108
ike 0: in CEB2556BB6A76A8369EEA84D4CE9B6C805100201000000000000006CCD04DA2FAF085808B8B045C1AE7D3E8A9BECB21CD179AACD8965B038D50A5A9713BCB6C53E5D18F6EE42EB77E8ADC0851783CBC676C7A93F30C0F9DCAC2E097A0E678A42D889777CAFC8DC0FC73C0E9F
ike 0:Tunnel_1:30: responder: main mode get 3rd message...
ike 0:Tunnel_1:30: dec CEB2556BB6A76A8369EEA84D4CE9B6C805100201000000000000006C7417465E8BE5E10828E160CB2ACED88EC9EC68E9C4B84E29743ED43E9723086CADD6EF04768A557744BADE51B4C19645E35B56519BB56CA1800DB16533C40AE802554C8E295986F716B7B3C288704D83
ike 0:Tunnel_1:30: parse error
ike 0:Tunnel_1:30: probable pre-shared secret mismatch

-------------------------------------------------------------------------------------------------------------------------------------


Note:

In this example, the IPsec tunnel has a pre-shared key mismatch. From here, make the pre-shared key identical.

 

ike 0:Tunnel_1: local:192.168.175.152, remote:192.168.175.153
ike 0:Tunnel_1: cached as static-ddns.
ike 0: cache rebuild done
ike 0:46a575d716dbabec/0000000000000000:39: negotiation result
ike 0:46a575d716dbabec/0000000000000000:39: proposal id = 1:
ike 0:46a575d716dbabec/0000000000000000:39:   protocol id = ISAKMP:
ike 0:46a575d716dbabec/0000000000000000:39:      trans_id = KEY_IKE.
ike 0:46a575d716dbabec/0000000000000000:39:      encapsulation = IKE/none
ike 0:46a575d716dbabec/0000000000000000:39:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:46a575d716dbabec/0000000000000000:39:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:46a575d716dbabec/0000000000000000:39:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:46a575d716dbabec/0000000000000000:39:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:46a575d716dbabec/0000000000000000:39: ISAKMP SA lifetime=86400
ike 0:46a575d716dbabec/0000000000000000:39: SA proposal chosen, matched gateway Tunnel_1

 

To disable the debug processes:
 
diagnose debug reset
diagnose debug disable
 

Notes:

  • In this example, the IPsec tunnel has no proposal chosen error. From there, check the authentication and encryption of the IPsec tunnel_1 to ensure it is identical on both ends.
  • If no IKE debug is observed, use this KB article: Troubleshooting Tip: Basic FortiGate Connectivity Diagnostics to verify if FortiGate is dropping traffic or not.
  • By default, IKE debugs will only print output on the terminal for 30 minutes. If longer debugging periods are required, see Technical Tip: Changing debug duration.
  • Before running the IKE debug, 'diagnose vpn ike log filter clear' is always needed to initiate first as best practice because this command keeps the filter values even though the SSH Putty or FortiGate GUI CLI was closed. The values in 'diagnose vpn ike log filter' always inherit from another CLI.
  • Starting from FortiOS v7.6.3, it is possible to run IKE debugging directly from the GUI by navigating to VPN -> VPN Tunnels. 'Right-click' on the tunnel and select 'CLI diagnostics'. For more information, refer to Technical Tip: Collect IKE Debug Logs for IPsec VPN Directly from the GUI.
    Terms & ConditionsAccessibility statement