Description | This article discusses the IKEv2 messages and their meaning. |
Scope | FortiGate. |
Solution |
Below is the overview of IKEv2 messages and their meaning and the IKE debugs seen on two FortiGates:
Topology: 20.0.0.2 is the initiator and 20.0.0.1 is the responder. SHA256- AES256 and DH group 14 are used for both Pahse1 and phase2 negotiations
Initiator:
ike V=root:0:hub1-Pri:hub1-Pri: IPsec SA connect 4 20.0.0.2->20.0.0.1:500 negotiating ike V=root:0:hub1-Pri:145:376 initiating CREATE_CHILD exchange ike V=root:0:hub1-Pri:145:hub1-Pri:376: PFS enabled ike V=root:0:hub1-Pri:145:hub1-Pri:376: generate DH public value request queued ike V=root:0:hub1-Pri:145:376 initiating CREATE_CHILD exchange ike V=root:0:hub1-Pri:145:hub1-Pri:376: PFS enabled ike 0:hub1-Pri:145: enc xxxx ike 0:hub1-Pri:145: out xxxx ike V=root:0:hub1-Pri:145: sent IKE msg (CREATE_CHILD): 20.0.0.2:500->20.0.0.1:500, len=496, vrf=0, id=2ecbf90464c2e03a/c81df8c224f77489:00000003, oif=4
Responder:
ike V=root:0: comes 20.0.0.2:500->20.0.0.1:500,ifindex=4,vrf=0,len=496. ike V=root:0: IKEv2 exchange=CREATE_CHILD id=2ecbf90464c2e03a/c81df8c224f77489:00000003 len=496 ike 0: in xxx ike 0:advpn_1:116: dec xxxx ike V=root:0:advpn_1:116: received create-child request ike V=root:0:advpn_1:116: responder received CREATE_CHILD exchange ike V=root:0:advpn_1:116: responder creating new child ike V=root:0:advpn_1:116:165: peer proposal: ike V=root:0:advpn_1:116:165: TSi_0 0:10.255.255.2-10.255.255.2:0 ike V=root:0:advpn_1:116:165: TSi_1 0:0.0.0.0-255.255.255.255:0 ike V=root:0:advpn_1:116:165: TSr_0 0:198.18.1.1-198.18.1.1:0 ike V=root:0:advpn_1:116:165: TSr_1 0:0.0.0.0-255.255.255.255:0 ike V=root:0:advpn_1:116:advpn:165: comparing selectors ike V=root:0:advpn_1:116:advpn:165: matched by rfc-rule-2 ike V=root:0:advpn_1:116:advpn:165: phase2 matched by subset ike V=root:0:advpn_1:116:165: local narrowing exactly matches configured selector ike V=root:0:advpn_1:116:advpn:165: accepted proposal: ike V=root:0:advpn_1:116:advpn:165: TSi_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:advpn_1:116:advpn:165: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:advpn_1:116:advpn:165: dialup ike V=root:0:advpn_1:116:advpn:165: incoming child SA proposal: ike V=root:0:advpn_1:116:advpn:165: proposal id = 1: ike V=root:0:advpn_1:116:advpn:165: protocol = ESP: ike V=root:0:advpn_1:116:advpn:165: encapsulation = TUNNEL ike V=root:0:advpn_1:116:advpn:165: type=ENCR, val=AES_CBC (key_len = 256) ike V=root:0:advpn_1:116:advpn:165: type=INTEGR, val=SHA256 ike V=root:0:advpn_1:116:advpn:165: type=DH_GROUP, val=MODP2048 ike V=root:0:advpn_1:116:advpn:165: type=ESN, val=NO ike V=root:0:advpn_1:116:advpn:165: matched proposal id 1 ike V=root:0:advpn_1:116:advpn:165: proposal id = 1: ike V=root:0:advpn_1:116:advpn:165: protocol = ESP: ike V=root:0:advpn_1:116:advpn:165: encapsulation = TUNNEL ike V=root:0:advpn_1:116:advpn:165: type=ENCR, val=AES_CBC (key_len = 256) ike V=root:0:advpn_1:116:advpn:165: type=INTEGR, val=SHA256 ike V=root:0:advpn_1:116:advpn:165: type=DH_GROUP, val=MODP2048 ike V=root:0:advpn_1:116:advpn:165: type=ESN, val=NO ike V=root:0:advpn_1:116:advpn:165: lifetime=43200 ike V=root:0:advpn_1:116:advpn:165: PFS enabled, group=14 ike V=root:0:advpn_1:116:advpn:165: generate DH public value request queued ike V=root:0:advpn_1:116:advpn:165: compute DH shared secret request queued ike V=root:0:advpn_1:116:advpn:165: replay protection enabled ike V=root:0:advpn_1:116:advpn:165: set sa life soft seconds=43187. ike V=root:0:advpn_1:116:advpn:165: set sa life hard seconds=43200. ike V=root:0:advpn_1:116:advpn:165: IPsec SA selectors #src=1 #dst=1 ike V=root:0:advpn_1:116:advpn:165: src 0 7 0:0.0.0.0-255.255.255.255:0 ike V=root:0:advpn_1:116:advpn:165: dst 0 7 0:0.0.0.0-255.255.255.255:0 ike V=root:0:advpn_1:116:advpn:165: add dynamic IPsec SA selectors a02 ike V=root:0:advpn_1:116:advpn:165: added dynamic IPsec SA proxyids new 2 a02 ike V=root:0:advpn_1:116:advpn:165: add IPsec SA: SPIs=c5c0b59d/f82f8273 ike 0:advpn_1:116:advpn:165: IPsec SA dec spi c5c0b59d key 32:4D5D10F52ECE0B294C1061AA884B4739B57915FD5B06A05B36CCE212D0D3D119 auth 32:53804CE0F186E B6B2289F52385A8FEE7024E1CAE18123F3555008E741F20B4D6 ike 0:advpn_1:116:advpn:165: IPsec SA enc spi f82f8273 key 32:3E4416D5A2A20EE65539B6906F5D0CE4FD4D9A5CB79B79912AAF79F15B279E09 auth 32:C29471985C023 B28A1D5D6371EF793C8BAF159E8CA2A2E03B6A3323CEAE4832D ike V=root:0:advpn_1:116:advpn:165: added IPsec SA: SPIs=c5c0b59d/f82f8273 ike V=root:0:advpn_1:116:advpn:165: sending SNMP tunnel UP trap ike V=root:0:advpn_1: tunnel up event
Message 6 (Responder → Initiator):
Responder:
ike V=root:0:advpn_1:116:advpn:165: responder preparing CREATE_CHILD message ike 0:advpn_1:116: enc xxx ike 0:advpn_1:116: out xxxx ike V=root:0:advpn_1:116: sent IKE msg (CREATE_CHILD_RESPONSE): 20.0.0.1:500->20.0.0.2:500, len=464, vrf=0, id=2ecbf90464c2e03a/c81df8c224f77489:00000003, oif=4
Initiator logs:
ike V=root:0: comes 20.0.0.1:500->20.0.0.2:500,ifindex=4,vrf=0,len=464. ike V=root:0: IKEv2 exchange=CREATE_CHILD_RESPONSE id=2ecbf90464c2e03a/c81df8c224f77489:00000003 len=464 ike 0: in xxxx ike 0:hub1-Pri:145: dec xxxx ike V=root:0:hub1-Pri:145: received create-child response ike V=root:0:hub1-Pri:145: initiator received CREATE_CHILD msg ike V=root:0:hub1-Pri:145:hub1-Pri:376: found child SA SPI f82f8273 state=3 ike V=root:0:hub1-Pri:145:hub1-Pri:376: PFS enabled, group=14 ike V=root:0:hub1-Pri:145:hub1-Pri:376: compute DH shared secret request queued ike V=root:0:hub1-Pri:145:376: peer proposal: ike V=root:0:hub1-Pri:145:376: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:hub1-Pri:145:376: TSi_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:hub1-Pri:145:hub1-Pri:376: comparing selectors ike V=root:0:hub1-Pri:145:hub1-Pri:376: matched by rfc-rule-2 ike V=root:0:hub1-Pri:145:hub1-Pri:376: phase2 matched by subset ike V=root:0:hub1-Pri:145:hub1-Pri:376: accepted proposal: ike V=root:0:hub1-Pri:145:hub1-Pri:376: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:hub1-Pri:145:hub1-Pri:376: TSi_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:hub1-Pri:145:hub1-Pri:376: autokey ike V=root:0:hub1-Pri:145:hub1-Pri:376: incoming child SA proposal: ike V=root:0:hub1-Pri:145:hub1-Pri:376: proposal id = 1: ike V=root:0:hub1-Pri:145:hub1-Pri:376: protocol = ESP: ike V=root:0:hub1-Pri:145:hub1-Pri:376: encapsulation = TUNNEL ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=ENCR, val=AES_CBC (key_len = 256) ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=INTEGR, val=SHA256 ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=DH_GROUP, val=MODP2048 ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=ESN, val=NO ike V=root:0:hub1-Pri:145:hub1-Pri:376: matched proposal id 1 ike V=root:0:hub1-Pri:145:hub1-Pri:376: proposal id = 1: ike V=root:0:hub1-Pri:145:hub1-Pri:376: protocol = ESP: ike V=root:0:hub1-Pri:145:hub1-Pri:376: encapsulation = TUNNEL ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=ENCR, val=AES_CBC (key_len = 256) ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=INTEGR, val=SHA256 ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=DH_GROUP, val=MODP2048 ike V=root:0:hub1-Pri:145:hub1-Pri:376: type=ESN, val=NO ike V=root:0:hub1-Pri:145:hub1-Pri:376: lifetime=43200 ike V=root:0:hub1-Pri:145:hub1-Pri:376: replay protection enabled ike V=root:0:hub1-Pri:145:hub1-Pri:376: set sa life soft seconds=42903. ike V=root:0:hub1-Pri:145:hub1-Pri:376: set sa life hard seconds=43200. ike V=root:0:hub1-Pri:145:hub1-Pri:376: IPsec SA selectors #src=1 #dst=1 ike V=root:0:hub1-Pri:145:hub1-Pri:376: src 0 7 0:0.0.0.0-255.255.255.255:0 ike V=root:0:hub1-Pri:145:hub1-Pri:376: dst 0 7 0:0.0.0.0-255.255.255.255:0 ike V=root:0:hub1-Pri:145:hub1-Pri:376: add IPsec SA: SPIs=f82f8273/c5c0b59d ike 0:hub1-Pri:145:hub1-Pri:376: IPsec SA dec spi f82f8273 key 32:3E4416D5A2A20EE65539B6906F5D0CE4FD4D9A5CB79B79912AAF79F15B279E09 auth 32:C29471985 C023B28A1D5D6371EF793C8BAF159E8CA2A2E03B6A3323CEAE4832D ike 0:hub1-Pri:145:hub1-Pri:376: IPsec SA enc spi c5c0b59d key 32:4D5D10F52ECE0B294C1061AA884B4739B57915FD5B06A05B36CCE212D0D3D119 auth 32:53804CE0F 186EB6B2289F52385A8FEE7024E1CAE18123F3555008E741F20B4D6 ike V=root:0:hub1-Pri:145:hub1-Pri:376: added IPsec SA: SPIs=f82f8273/c5c0b59d ike V=root:0:hub1-Pri:145:hub1-Pri:376: sending SNMP tunnel UP trap ike V=root:0:hub1-Pri: static tunnel up event 10.255.255.1 (dev=14) ike V=root:0:hub1-Pri: static tunnel up event :: (dev=14)
Meaning:
Initiator:
ike V=root:0:hub1-Pri:148:383: send informational ike 0:hub1-Pri:148: enc xxxx ike 0:hub1-Pri:148: out xxxx ike V=root:0:hub1-Pri:148: sent IKE msg (INFORMATIONAL): 20.0.0.2:500->20.0.0.1:500, len=80, vrf=0, id=55a418752ab5df75/20c2112f2d151c8b:00000002, oif=4 ike V=root:0: comes 20.0.0.1:500->20.0.0.2:500,ifindex=4,vrf=0,len=80. ike V=root:0: IKEv2 exchange=INFORMATIONAL_RESPONSE id=55a418752ab5df75/20c2112f2d151c8b:00000002 len=80 ike 0: in xxx
Responder:
ike V=root:0: IKEv2 exchange=INFORMATIONAL id=55a418752ab5df75/20c2112f2d151c8b:00000002 len=80 ike 0: in xxxx ike 0:advpn_1:119: dec xxxx ike V=root:0:advpn_1:119: received informational request ike 0:advpn_1:119: enc xxxx ike 0:advpn_1:119: out xxxx ike V=root:0:advpn_1:119: sent IKE msg (INFORMATIONAL_RESPONSE): 20.0.0.1:500->20.0.0.2:500, len=80, vrf=0, id=55a418752ab5df75/20c2112f2d151c8b:00000002, oif=4
Meaning: INFORMATIONAL messages are typically used to manage the IKE session by sending notifications, deleting SAs, or handling errors like authentication failures.
Summary of IKEv2 Message Types and Meanings:
In each message exchange, both peers use encryption and authentication to ensure that the messages cannot be tampered with or intercepted by malicious actors. |