Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thorg
New Contributor

Question about diagnose debug command (VPN)

I am trying to understand the output of "diag vpn ike gateway list name <name>". I would like to know what the line "child: <yes/no>" says. Can someone explain this to me?


fortigate # diag vpn ike gateway list name <Name>

vd: root/0
name: <name>
version: 2
interface: wan1 7
addr: <IP1>:500 -> <IP2>:500
created: 1323297s ago
PPK: no
IKE SA: created 1/17 established 1/17 time 0/4/40 ms
IPsec SA: created 1/32 established 1/32 time 0/0/0 ms

id/spi: 2390 xxx
direction: responder
status: established 23088-23088s ago = 0ms
proposal: aes256-sha384
child: yes <--- What does this line mean?
SK_ei: xxx
SK_er: xxx
SK_ai: xxx
SK_ar: xxx57
message-id sent/recv: 30/37
lifetime/rekey: 86400/63041
DPD sent/recv: 0000083b/0000083b

1 Solution
pjawalekar
Staff
Staff

Hi thorg,

From the attached logs I am able to see that you are using IKEv2. IKEv2 has a two Phase negotiation process.

First Phase is known as IKE_SA_INIT and the second Phase is called as IKE_AUTH. At the end of second exchange (Phase 2), the first CHILD SA created. 

In debugs "child: yes" means identities of IPSec Peers are verified and first CHILD_SA is established between the peers.
The CHILD_SA in IKEv2 performs nearly the same function as Quick Mode in IKEv1, setting up the transformations and parameters for traffic protection. That is, the encryption and authentication algorithms to be used to protect network traffic, key lifetimes, and optionally another Diffie-Hellman-Merkel exchange if Perfect Forward Secrecy is enabled (PFS).

Regards,

Pratik 

View solution in original post

2 REPLIES 2
pjawalekar
Staff
Staff

Hi thorg,

From the attached logs I am able to see that you are using IKEv2. IKEv2 has a two Phase negotiation process.

First Phase is known as IKE_SA_INIT and the second Phase is called as IKE_AUTH. At the end of second exchange (Phase 2), the first CHILD SA created. 

In debugs "child: yes" means identities of IPSec Peers are verified and first CHILD_SA is established between the peers.
The CHILD_SA in IKEv2 performs nearly the same function as Quick Mode in IKEv1, setting up the transformations and parameters for traffic protection. That is, the encryption and authentication algorithms to be used to protect network traffic, key lifetimes, and optionally another Diffie-Hellman-Merkel exchange if Perfect Forward Secrecy is enabled (PFS).

Regards,

Pratik 

Sheikh
Staff
Staff

Hi Thorg,

 

This line indicates that a child SA (subsequent security association) has been established. In other words, once the main IKE tunnel is established, child SAs can be created for specific types of traffic.

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors