FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tthrilok
Staff
Staff
Article Id 256321
Description

 

This article explains the ike debug output in FortiGate.

 

Scope

 

FortiGate, IPsec.

 

Solution

 

Below are the commands to take the ike debug on the firewall:

 

di vpn ike log-filter clear

di vpn ike log-filter <att name> <att value> 

diag debug app ike -1
diag debug enable

 

Below, the article which explains the ike log filter options available in FortiGate:

Troubleshooting Tip: IPSEC Tunnel (debugging IKE)

 

  • When taking the IKE debug to analyze the logs, make sure the firewall is in responder state, so for that initiate the VPN negotiation from the remote end. Taking debugs in the responder state gives more idea of where is the issue happening.
  • Timing timestamps may be crucial when troubleshooting random issue reports or getting references. Make sure that the IPSec peers both have the correct system time.

See that a debug attempt is created with timestamps. Add 'diag debug console timestamp enable' to the 'diag debug' commands on FortiGate. Write down timestamps on certain events, like error messages, if applicable. It helps to understand more about the pattern and when what happens.

 

Below is the lab firewall configuration:

 

FortiGate-81E # show vpn ipsec phase1-interface
    config vpn ipsec phase1-interface
        edit "TEST"
            set interface "wan1"
            set peertype any
            set net-device disable
            set passive-mode enable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set comments "VPN: TEST (Created by VPN wizard)"
            set wizard-type static-fortigate
            set remote-gw 10.5.20.136
            set psksecret ENC KEY
        next
    end

 

FortiGate-81E # show vpn ipsec phase2-interface
    config vpn ipsec phase2-interface
        edit "TEST"
            set phase1name "TEST"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set comments "VPN: TEST (Created by VPN wizard)"
            set src-addr-type name
            set dst-addr-type name
            set src-name "TEST_local"
            set dst-name "TEST_remote"
        next
    end

 

FortiGate-81E # di ip add list | grep wan1
IP=10.5.20.174->10.5.20.174/255.255.240.0 index=5 devname=wan1

 

Below is the debug output:

 

ike 0: comes 10.5.20.136:500->10.5.20.174:500,ifindex=5,vrf=0....  <----- Debug shows firewall received the UDP 500 packet from 10.5.20.136 to 10.5.20.174.
ike 0: IKEv1 exchange=Identity Protection id=9f7049755addb679/0000000000000000 len=572 vrf=0 <----- 9f7049755addb679/0000000000000000 is the initiator's cookie value/responders cookie value.
ike 0: in 9F7049755ADDB679000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000

ike VDOM-ID:initiator cookie value/responder cookie value: stateID of phase1<----- Is the format of the debug output upto phase1 is matched.
ike 0:9f7049755addb679/0000000000000000:15: responder: main mode get 1st message... 
ike 0:9f7049755addb679/0000000000000000:15: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:9f7049755addb679/0000000000000000:15: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:9f7049755addb679/0000000000000000:15: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:9f7049755addb679/0000000000000000:15: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:9f7049755addb679/0000000000000000:15: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:9f7049755addb679/0000000000000000:15: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:9f7049755addb679/0000000000000000:15: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:9f7049755addb679/0000000000000000:15: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:9f7049755addb679/0000000000000000:15: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:9f7049755addb679/0000000000000000:15: VID FORTIGATE 8299031757A36082C6A621DE00000000

 

Below is the proposal received from the remote end and the user is trying to match the P1 tunnel:


ike 0:9f7049755addb679/0000000000000000:15: negotiation result
ike 0:9f7049755addb679/0000000000000000:15: proposal id = 1: <----- Proposal ID as 1, if there is more than 1 proposal ID, it is necessary to find id as the differentiator for each proposal.
ike 0:9f7049755addb679/0000000000000000:15: protocol id = ISAKMP:
ike 0:9f7049755addb679/0000000000000000:15: trans_id = KEY_IKE.
ike 0:9f7049755addb679/0000000000000000:15: encapsulation = IKE/none
ike 0:9f7049755addb679/0000000000000000:15: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:9f7049755addb679/0000000000000000:15: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:9f7049755addb679/0000000000000000:15: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:9f7049755addb679/0000000000000000:15: type=OAKLEY_GROUP, val=MODP2048.
ike 0:9f7049755addb679/0000000000000000:15: ISAKMP SA lifetime=86400
ike 0:9f7049755addb679/0000000000000000:15: SA proposal chosen, matched gateway TEST<----- SA is matched to the phase1 tunnel TEST.

ike VDOM-ID:Phase1_tunnel_name:stateID of phase1<----- Is the format of the debug output upto phase2 is matched.

ike 0:TEST: created connection: 0x68c46a0 5 10.5.20.174->10.5.20.136:500.
ike 0:TEST:15: DPD negotiated 
ike 0:TEST:15: peer is FortiGate/FortiOS (v0 b0)
ike 0:TEST:15: selected NAT-T version: RFC 3947
ike 0:TEST:15: cookie 9f7049755addb679/a8c807aa6429a5bf<----- ike process has generated the responder cookie value. 
ike 0:TEST:15: out 9F7049755ADDB679A8C807AA6429A5BF0110020000000000000000C00D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:TEST:15: sent IKE msg (ident_r1send): 10.5.20.174:500->10.5.20.136:500, len=192, vrf=0, id=9f7049755addb679/a8c807aa6429a5bf  <----- The responder 1st packet "ident_r1send" is sent out. with id=9f7049755addb679/a8c807aa6429a5bf <----- Initiator cookie/responder cookie.
ike 0: comes 10.5.20.136:500->10.5.20.174:500,ifindex=5,vrf=0.... <----- The initiator 2nd packet is received where the interface index ID 5.
ike 0: IKEv1 exchange=Identity Protection id=9f7049755addb679/a8c807aa6429a5bf len=380 vrf=0
ike 0: in 9F7049755ADDB679A8C807AA6429A5BF04100200000000000000017C0A0001042EE64C2180C1E5C062884690B1EB9F749CD8D89B00AABD9536FAF74685E470C5D78D7E767E1CC291038289CC787C47FA30203F20604EA44E95C3932A57642117F14AF915D880539A850CDC920D5C19BB51CB25CFEB27BE78A00320D1CE99DB1775E7F574E0C0773C0256734950DB84A5625A6CCC3C777BADCDE6BE6F9958147A66CC265236B9AA2EFF2C29A84332A98A1D3FC2843A9433C7BBC09A49302503F8F4A9666A4523AE4CCDAA70D38B88050F387201640821658648C5EB8A6B58A86E652B23A47C3A8F4FB2D0B711A992DE64F1C186F71551C5D6E9DBCF6CE53D882049BF83682428C89C694977E09A988FB1BB50317F0544BD3F1203711AD80CC88514000014F1B5DFD2DD450C8005F5B71867FD00A114000024F3378B31DF207ADC14301B1DACA863B97416AA2878CD68A2581DEF090060F142000000248CB780F2184EFA8BE83A20F59FD61DCDB42C1A2D170D729524F5B4300E796613

ike 0:TEST:15: responder:main mode get 2nd message... 
ike 0:TEST:15: received NAT-D payload type 20
ike 0:TEST:15: received NAT-D payload type 20
ike 0:TEST:15: NAT not detected
ike 0:TEST:15: generate DH public value request queued <----- The DH public key is generated.
ike 0:TEST:15: compute DH shared secret request queued <----- The shared secret for the tunnel TEST is computed.
ike 0:TEST:15: out 9F7049755ADDB679A8C807AA6429A5BF04100200000000000000017C0A0001046B9CD13B26D3E3874711BF431DC661B702A45B9BC6538D5E33B32463A60694C7B8889C3C62426ACDEE2126FCCB94BF6F183746079AC25A6FD78D81535787E2F73063E7DAA40A37AB9B6E0CB4BF2D7FC6E4FEEEF4945227A527938B0F86A475CF24C585F601CA5F1BC191C2C7B3942F1B2AF9108CA0F6E59A5FFA8B1C1CF8BA433D9A58F56751B24AA9CC60F54AB26AE8873AC90087E849E592D87F7C6B06E6834467982FC07A5D15227F983105993C26FC85234EA1CA62F919D93C9D28A397E515C1E5D21DA9E5C2CCCF8ABB32CB9B97784D6D45C73A80FC37ED2E184D25E280E28C3C7BECF9F77253C64C6AFA864D82CEF57336D4953ED2D380BF02EEF6AB4F140000149707251950D0D56EF9AAD9547D34911F140000248CB780F2184EFA8BE83A20F59FD61DCDB42C1A2D170D729524F5B4300E79661300000024F3378B31DF207ADC14301B1DACA863B97416AA2878CD68A2581DEF090060F142
ike 0:TEST:15: sent IKE msg (ident_r2send): 10.5.20.174:500->10.5.20.136:500, len=380, vrf=0, id=9f7049755addb679/a8c807aa6429a5bf <----- The responder 2nd packet are sending out.
ike 0:TEST:15: ISAKMP SA 9f7049755addb679/a8c807aa6429a5bf key 16:5632B23E1988046F801D2246E50E776C <----- phase1 tunnel key.
ike 0: comes 10.5.20.136:500->10.5.20.174:500,ifindex=5,vrf=0.... <----- Initiator 3rd packet received.
ike 0: IKEv1 exchange=Identity Protection id=9f7049755addb679/a8c807aa6429a5bf len=108 vrf=0
ike 0: in 9F7049755ADDB679A8C807AA6429A5BF05100201000000000000006C66842B64B9DB166761F9A5526468FCDC9230AB50BFEFBE6E9FD83F3D0CCC5D4C6B03644B7FF28B64E51616E080E7B59E58EAA2464A20A24A9D3AD3AEF6331BFC9D5116FB1A8591EDF0465C74DA2ABDA0
ike 0:TEST:15: responder: main mode get 3rd message... <----- Initiator 3rd packet received.
ike 0:TEST:15: dec 9F7049755ADDB679A8C807AA6429A5BF05100201000000000000006C0800000C010000000A0514880B0000242C1E51104FA24434C941424C1F3794EC0C6B01DD9A56CBB252F322483AA8D6400000001C00000001011060029F7049755ADDB679A8C807AA6429A5BF03AE1B03
ike 0:TEST:15: received p1 notify type INITIAL-CONTACT 
ike 0:TEST:15: peer identifier IPV4_ADDR 10.5.20.136<----- After decrypting the initiator 3rd packet, the identifier sent by the remote device is visible.
ike 0:TEST:15: PSK authentication succeeded  <----- PSK authentication is done.
ike 0:TEST:15: authentication OK
ike 0:TEST:15: enc 9F7049755ADDB679A8C807AA6429A5BF05100201000000000000004C0800000C010000000A0514AE000000249E90C71C0DEB9F3AEC3ACDD683F8571396C66A2FABE5C7BDBB7283D8925DE0D7  <----- The identity payload has been generated and encrypting it.
ike 0:TEST:15: out 9F7049755ADDB679A8C807AA6429A5BF05100201000000000000005C56AA4264542A80639F190AC138BA52D1EC6C0C2C1AF0A41D46E1E3FBB4458F7B5478BD968C7005A826060256C84D0BA5EEC71A389C2EE1F6AE958B75CC7CB72D <----- Sending out the packet.
ike 0:TEST:15: sent IKE msg (ident_r3send): 10.5.20.174:500->10.5.20.136:500, len=92, vrf=0, id=9f7049755addb679/a8c807aa6429a5bf
ike 0:TEST:15: established IKE SA 9f7049755addb679/a8c807aa6429a5bf<----- phase1 is established.

ike 0:TEST:15: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:TEST:15: processing INITIAL-CONTACT
ike 0:TEST: flushing
ike 0:TEST: flushed
ike 0:TEST:15: processed INITIAL-CONTACT
ike 0:TEST: set oper up
ike 0:TEST:15: no pending Quick-Mode negotiations
ike shrank heap by 159744 bytes
ike 0: comes 10.5.20.136:500->10.5.20.174:500,ifindex=5,vrf=0.... <----- The next packet from the remote end has been received.
ike 0: IKEv1 exchange=Quick id=9f7049755addb679/a8c807aa6429a5bf:4217bbe7 len=620 vrf=0  <-----
ike 0: in 9F7049755ADDB679A8C807AA6429A5BF081020014217BBE70000026C9B4E9136555F567852B5E267D21F6B443C2B09584033A7ED8778D09F42AB6AFFC99900B3F3B8E02D59B686BA375069FBFB83C8F9D6081119AEB52BF474217D1873AE5AEC3CADC3ADE27AE21E8BDA19464B1B51FF5544D70B5D28B6B630D056B6145577490FF62F0E5DBE52A113634C66FA453B4B4B1252BDDBB7FFBAEBE6867F52B019AA38555DB1B1248EB4E9FCB29ECA35228DE677777B50486323298348E7575973363E98A767BE87FB70F8D8A2C9ABD473240CD8BF279D948C73B12E8FA2EB89FA28C579315EE6AB26080BDF15A6F1C39269C9CFF73A161716CD68A968C858E83DFB0F7E8535D7D0BAA8D68C09E52ABBF5E2A05B3859E3741DD66927F7A604FA38269E9BFEF03BEDC487ECE8DEED77629523D500A079A95A172D113759CB8093C0F4E531D753CEC5BEFF8678DE3096AFCC77F68EF2047DCE5F98344309845572C6E89F5293744F7D104CB5C1086C8A9B55BD7E4E39B01FA4FCB0C8DC7500516FDFA0E14D63C721F8EA83D6D22DAF632ACC5B04DB60E9047F6C9A61321F2DD47C94B7F132BEE5AE4058ED71C5CACFE5DDCD5BC16699FD0EF739C42DFE9CA9ABAEC4C73CF2A424B324E6A131ADB3356918B95ED20BF2E61F70300A6F82B54D5105D04F5D8E81121AA4C6E82E532AB748AD87E0B575F54A923912F5AB113939A94A76EB7FA3907D3E40EB1CAEDE03276B8E264C3A337EA9E8D6607F97577A87A31BCBE2E9B117552BCC3621A6E0808C0C8AE83BB19D7D5DEA781342EA63774AD85F0655FDC3F143A64D5BB4D7A49283C838C55397A23A735DDD489B594101097654DD6E8B565F85DB689FFDFD4CC572
ike 0:TEST:15:190: responder received first quick-mode message

ike 0:TEST:15: dec 9F7049755ADDB679A8C807AA6429A5BF081020014217BBE70000026C01000024387D6350B76724762EEF33EF4C041264381388E314ECD91525ECB78386C4ED350A0000EC0000000100000001000000E001030407CB787AB703000020010C0000800100018002A8C08004000180060080800500028003000E03000020020C0000800100018002A8C08004000180060100800500028003000E03000020030C0000800100018002A8C08004000180060080800500058003000E03000020040C0000800100018002A8C08004000180060100800500058003000E0300001C05140000800100018002A8C080040001800600808003000E0300001C06140000800100018002A8C080040001800601008003000E0000001C071C0000800100018002A8C080040001800601008003000E04000014D7EA91DD21B6E5E43D9B18D2787AAFA80500010424533E2BD83F102DEC8906E858A9B87A593E821F9545846AC218FA73196A44D4B3C695021201F996F338B622CEAF3AD2E83AD5116569FC04EA7EDE74D49513DBAF07719E011D8BB8D41584AE0B4B4CCCE21544F59CBA194E81EF5C6C2D116754913EBF362F97A5472313B270E4DDF0EA024B6A3C40BBC61829C9BF3FB8035A9099D62A99A7C31D66DBD0DDF49B1199E1191005923A9783592D6268F3EACDADEDE674C6752CC7BE2D39F5B563BBF3E3572D4B7CD8793A455F7D6B855EE6D790AD8EA9111F623A995270590D561F1FF2E48594BE81ED19D9832263C836B24848D63DB14C76A757FC1DE5A656C56754576B484AC02430E2E3265FA49E30A8A788C505000010040000000A0A0A00FFFFFF00000000100400000001010100FFFFFF008E5CB88BBF6A1F07
ike 0:TEST:15:190: peer proposal is: peer:0:10.10.10.0-10.10.10.255:0, me:0:1.1.1.0-1.1.1.255:0 <<< phase2 incoming proposal

ike VDOM-ID:Phase1_tunnel_name:stateID of phase1:phase2_tunnel_name:stateID of phase2<----- Is the format for further debugs.
ike 0:TEST:15:TEST:190: trying
ike 0:TEST:15:TEST:190: matched phase2
ike 0:TEST:15:TEST:190: autokey

ike 0:TEST:15:TEST:190: proposal id = 1:
ike 0:TEST:15:TEST:190: protocol id = IPSEC_ESP:
ike 0:TEST:15:TEST:190: PFS DH group = 14
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=SHA1
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=SHA1
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=SHA2_256
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=SHA2_256
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=NULL
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=NULL
ike 0:TEST:15:TEST:190: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=NULL

++ Output Omitted ++

ike 0:TEST:15:TEST:190: negotiation result
ike 0:TEST:15:TEST:190: proposal id = 1:
ike 0:TEST:15:TEST:190: protocol id = IPSEC_ESP:
ike 0:TEST:15:TEST:190: PFS DH group = 14
ike 0:TEST:15:TEST:190: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:TEST:15:TEST:190: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:TEST:15:TEST:190: type = AUTH_ALG, val=SHA1
ike 0:TEST:15:TEST:190: set pfs=MODP2048

>> Above is the phase2 SAs matched 
ike 0:TEST:15:TEST:190: using tunnel mode.
ike 0:TEST:15:TEST:190: generate DH public value request queued
ike 0:TEST:15:TEST:190: compute DH shared secret request queued
ike 0:TEST:15:TEST:190: replay protection enabled 
ike 0:TEST:15:TEST:190: SA life soft seconds=42927.
ike 0:TEST:15:TEST:190: SA life hard seconds=43200.
ike 0:TEST:15:TEST:190: IPsec SA selectors #src=1 #dst=1 
ike 0:TEST:15:TEST:190: src 0 4 0:1.1.1.0/255.255.255.0:0 <----- Local network.
ike 0:TEST:15:TEST:190: dst 0 4 0:10.10.10.0/255.255.255.0:0 <----- Remote network.
ike 0:TEST:15:TEST:190: add IPsec SA: SPIs=ae5de1b7/cb787ab7 <----- Is the SPI values for phase2 tunnel.
ike 0:TEST:15:TEST:190: IPsec SA dec spi ae5de1b7 key 16:2E6DE7D80B4A61F382EC05847A4E4D55 auth 20:5FFB902AC5916DF77F4166EBB79D53C625F93209<----- Is the enc key and auth key mapped with spi ae5de1b7.
ike 0:TEST:15:TEST:190: IPsec SA enc spi cb787ab7 key 16:C0647490877A3B64555CC8D38A5C4739 auth 20:DF644A84FE4436A54DC1CC1F1CD38573D863159C<----- Is the enc key and auth key mapped with spi cb787ab7.
ike 0:TEST:15:TEST:190: added IPsec SA: SPIs=ae5de1b7/cb787ab7
ike 0:TEST:15:TEST:190: sending SNMP tunnel UP trap <----- SNMP trap is sent as the tunnel is up.

ike 0:TEST:15: enc 9F7049755ADDB679A8C807AA6429A5BF081020014217BBE7000001B0010000245FFCC00BB957E95E2AF249313C3381EC328AF3BBC6BFD652219A2B4FBB22F8960A00003800000001000000010000002C01030401AE5DE1B700000020010C0000800100018002A8C08004000180060080800500028003000E04000014FCBEACAF3A6237BF2BBD74476AA5B95C05000104D53485F42AF44F5B2046D4643BE17A5B9B3E7B4F842505B0A1822B8B387AC30E92698F63611217DDA9ABAFAA355BA669C0AB0F37332E2F5B1294181EA74098C3C8A313DE1189BE90D275B02734A76EDC78D6F43B08EBCA6BAF96E2FCAD00EECE42F7B46A4C47D5AF8336825F8B7DDBF51188D9806C56A9CB79AF8E2D5F5E25767E59C9519BA4D3A060F77C85EA47541725987BA427292DE668A545A5B5273DA20F220A040977BB175021DD0047E7CA8B19BBB8DC801A2167110CF774BE3956758E0173F3B92BD22911C562D6B815109F806F53C3A229802DED6A54242EBD0176258F842CAF7E033C3599BD80BE7CA80BDADD072B1686F34D3F4FFEB2AA4B065A05000010040000000A0A0A00FFFFFF00000000100400000001010100FFFFFF00
ike 0:TEST:15: out 9F7049755ADDB679A8C807AA6429A5BF081020014217BBE7000001BC5EEA13605B8B3F8D3B8A7D500C1351C162CBADC8CF4D3B3090C7F78A4819CF38DFDD65E6C585C826CA876FCD10FF739BDD59FBBCA2A97A3D778AB611E5C6B080AE0CD5B0A39252F40E85BF9658B028355D569A7D3BBA3C480F07F30E10F841E936D3C639614516F6362F489F144D1FD318B0E00F657EE54BFED3C9E9C3FCCD1DB7797A549F76FBDF5CD30C7CE6E833E6163CC3554D3DC7A632800B5CDF19F73A22B536B888612ACC0297C34C4FF79EF7B0704639C2D7BB90F98E2D1A9723308022459539968D8D7BED428D6E651CB767DF647F395228E999067A93DB67A7876CC644AD259AFF0D04BB271AADC08D76EF6F02547B8210B9A52896A919496FB5E540AA2725C106F0AD72962BB3C38805A3528891EF3A2E390CFEA7EDFBE1A48F201A1EE165CBFF54602065810A4E3DEC8721812B8B4F6D829BE3F902EF86AB2C081CDBC8AF06569A5694475A7FA2D90D7A288EE8FA04C441C5AA0F85597254EF7D89260696B458922388D027C52DE19E302BD2DFC516CE47E76B1AEC2FD8B998D5A5759907BBFFD9CE4D8E7CD2ED96CEE4075C04B442A1B821ED4B2FADF5139FAD
ike 0:TEST:15: sent IKE msg (quick_r1send): 10.5.20.174:500->10.5.20.136:500, len=444, vrf=0, <-----  The quick mode responder 1st packet is sent out id=9f7049755addb679/a8c807aa6429a5bf:4217bbe7
ike 0: comes 10.5.20.136:500->10.5.20.174:500,ifindex=5,vrf=0.... <----- Incoming initiated quick mode 2nd packet.
ike 0: IKEv1 exchange=Quick id=9f7049755addb679/a8c807aa6429a5bf:4217bbe7 len=76 vrf=0
ike 0: in 9F7049755ADDB679A8C807AA6429A5BF081020014217BBE70000004CA5C839AF7FD0EE0E61EC64FAD186D4E81E5E7886CB77B4FB1B2853DE24FD610A8CCB65F5053B9A16BEFEE8BF09534FA8 
ike 0:TEST:15: dec 9F7049755ADDB679A8C807AA6429A5BF081020014217BBE70000004C00000024BE7717DF8E201D6116B56B2E508A8655D06C7F5C672AFA80CBA15B58DCEAF2F9C1831AE275F0DB691E4F0B0B
ike 0:TEST:TEST:190: send SA_DONE SPI 0xcb787ab7 

 

- Below is the phase1 verification:

 

FortiGate-81E # di vpn ike gateway list

vd: root/0
name: TEST
version: 1
interface: wan1 5  <----- wan1 is the interface used in the VPN and its index ID.
addr: 10.5.20.174:500 -> 10.5.20.136:500 <----- Local and remote end public IPs on which the VPN is negotiated
tun_id: 10.5.20.136/::10.5.20.136
remote_location: 0.0.0.0
network-id: 0
created: 239s ago
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 20/20/20 ms

id/spi: 15 9f7049755addb679/a8c807aa6429a5bf
direction: responder  <---- In responder state.
status: established 239-239s ago = 10ms
proposal: aes128-sha256
key: 5632b23e1988046f-801d2246e50e776c
lifetime/rekey: 86400/85890
DPD sent/recv: 00000000/00000000

 

+ Below is the phase2 verification:

 

FortiGate-81E # di vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=TEST ver=1 serial=1 10.5.20.174:0->10.5.20.136:0 tun_id=10.5.20.136 tun_id6=::10.5.20.136 dst_mtu=1500 dpd-link=on weight=1
bound_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=5827 olast=5827 ad=/0  <----- This tunnel is referenced at 4 places.
stat: rxp=0 txp=0 rxb=0 txb=0  <----- stats showing rx packets, bytes and transmit packets, bytes.
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 <----- dpd mode on demand.
natt: mode=none draft=0 interval=0 remote_port=0  <----- natt is none.
fec: egress=0 ingress=0
proxyid=TEST proto=0 sa=1 ref=2 serial=4
src: 0:1.1.1.0-1.1.1.255:0 <----- Local IP range.
dst: 0:10.10.10.0-10.10.10.255:0 <----- Remote IP range.
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42591/0B replaywin=1024 <----- mtu of the phase2 tunnel.
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=ae5de1b7 esp=aes key=16 2e6de7d80b4a61f382ec05847a4e4d55
ah=sha1 key=20 5ffb902ac5916df77f4166ebb79d53c625f93209
enc: spi=cb787ab7 esp=aes key=16 c0647490877a3b64555cc8d38a5c4739
ah=sha1 key=20 df644a84fe4436a54dc1cc1f1cd38573d863159c
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.5.20.136 npu_lgwy=10.5.20.174 npu_selid=3 dec_npuid=0 enc_npuid=0
run_tally=0

FortiGate-81E #