Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎04-18-2022 08:35 AM Edited on ‎08-18-2025 07:41 AM By Staff

Article Id 209471

Technical Tip: Different methods to capture packets for IPsec VPN tunnels troubleshooting

Description This article provides information on how to capture IPsec VPN tunnel packets using FortiGate's CLI tool for troubleshooting.
Scope FortiGate.
Solution

Below are some of the steps that could be used to capture packets when troubleshooting IPsec VPN tunnel issues.

 

  1. Capturing IKE packets when NAT is not used.

 

diagnose sniffer packet <interface name> "host <remote gw> and udp port 500" 6 0 l

 

6 - Print header and data from ethernet of packets (if available) with intf name.

0 - Unlimited number of packets will be captured.

l - Absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms.

 

  1. Capturing IKE packets when NAT is used.

 

Capture only IKE traffic in udp/4500 (i.e., exclude ESP-in-UDP traffic):


diagnose sniffer packet <interface name> "host <remote gw> and (udp port 500 or (udp port 4500 and udp[8:4]==0x00000000))" 6 0 l

 

udp[8:4] represents UDP packet header total of 8 bytes and 4 bytes of spi field.

 

Note: To stop the sniffer in the end, press Ctrl + C, otherwise the Sniffer runs forever.

 

  1. ESP traffic when NAT is not used.

 

diagnose sniffer packet <interface name> "host <remote gw> and esp" 6 0 l

 

  1. ESP traffic for specific IPsec SAs when NAT is not used:

 

This is useful when there are multiple tunnels with the same IP address and when packet capture is needed for a particular tunnel for troubleshooting.

 

diagnose vpn tunnel list

 

dec: spi=299f9f87 esp=aes key=16 36a2871bd1830bde2bd0a1da9be4520d
ah=sha1 key=20 35f01a16c0014888482b2651a3c41b3cc4d4af7b


enc: spi=8a351d96 esp=aes key=16 9165ca727d82214330e1710940129a4b
ah=sha1 key=20 8facff77971d9e0de53b40a6fe7134693bb22517

 

(Note: The above output is filtered)

 

Below is an example:

 

diagnose sniffer packet port2 "host 200.0.0.2 and esp and (ip[20:4]==0x299f9f87 or ip [20:4]==0x8a351d96)" 6 0 l

 

The following is the command syntax:

 

diagnose sniffer packet <interface name> "host <remote gw> and esp and (ip[20:4]==0x<SPI1> or ip [20:4]==0x<SPI2>)" 6 0 l

 

ip[20:4] represents IP packet header with total of 20 bytes and spi field with 4 bytes.

 

  1. ESP traffic for specific IPsec SAs when NAT is used:

 

This is useful when there are multiple tunnels with the same IP address and when packet capture is needed for a particular tunnel for troubleshooting.

This would be very helpful in Dial-up VPN issues when multiple clients are behind the same edge device and sharing the public IP address.

 

diagnose vpn tunnel list

 

dec: spi=299f9f85 esp=aes key=16 81085dedbe81883a23fb7e7bbbf6af34
ah=sha1 key=20 348dee73821f5f03463894c698b063096c7c571c


enc: spi=a2330e8e esp=aes key=16 5f19c1c888e1e9437604a4ed181255fa
ah=sha1 key=20 8d76c233c8a3a26824ae872e3f99d48b41970d69

 

(Note: The above output is filtered)

 

Below is an example:

 

diagnose sniffer packet port2 "host 200.0.0.2 and udp port 4500 and (udp[8:4]==0x299f9f85 or udp [8:4]==0xa2330e8e)" 6 0 l

 

Below is  the command  syntax:

 

FGT1 (root) # diagnose sniffer packet <interface name> "host <remote gw> and udp port 4500 and (udp[8:4]==0x<SPI1> or udp [8:4]==0x<SPI2>)" 6 0 l

 
21936
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.