I am trying to understand the output of "diag vpn ike gateway list name <name>". I would like to know what the line "child: <yes/no>" says. Can someone explain this to me?
fortigate # diag vpn ike gateway list name <Name>
vd: root/0
name: <name>
version: 2
interface: wan1 7
addr: <IP1>:500 -> <IP2>:500
created: 1323297s ago
PPK: no
IKE SA: created 1/17 established 1/17 time 0/4/40 ms
IPsec SA: created 1/32 established 1/32 time 0/0/0 ms
id/spi: 2390 xxx
direction: responder
status: established 23088-23088s ago = 0ms
proposal: aes256-sha384
child: yes <--- What does this line mean?
SK_ei: xxx
SK_er: xxx
SK_ai: xxx
SK_ar: xxx57
message-id sent/recv: 30/37
lifetime/rekey: 86400/63041
DPD sent/recv: 0000083b/0000083b
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi thorg,
From the attached logs I am able to see that you are using IKEv2. IKEv2 has a two Phase negotiation process.
First Phase is known as IKE_SA_INIT and the second Phase is called as IKE_AUTH. At the end of second exchange (Phase 2), the first CHILD SA created.
In debugs "child: yes" means identities of IPSec Peers are verified and first CHILD_SA is established between the peers.
The CHILD_SA in IKEv2 performs nearly the same function as Quick Mode in IKEv1, setting up the transformations and parameters for traffic protection. That is, the encryption and authentication algorithms to be used to protect network traffic, key lifetimes, and optionally another Diffie-Hellman-Merkel exchange if Perfect Forward Secrecy is enabled (PFS).
Regards,
Pratik
Hi thorg,
From the attached logs I am able to see that you are using IKEv2. IKEv2 has a two Phase negotiation process.
First Phase is known as IKE_SA_INIT and the second Phase is called as IKE_AUTH. At the end of second exchange (Phase 2), the first CHILD SA created.
In debugs "child: yes" means identities of IPSec Peers are verified and first CHILD_SA is established between the peers.
The CHILD_SA in IKEv2 performs nearly the same function as Quick Mode in IKEv1, setting up the transformations and parameters for traffic protection. That is, the encryption and authentication algorithms to be used to protect network traffic, key lifetimes, and optionally another Diffie-Hellman-Merkel exchange if Perfect Forward Secrecy is enabled (PFS).
Regards,
Pratik
Hi Thorg,
This line indicates that a child SA (subsequent security association) has been established. In other words, once the main IKE tunnel is established, child SAs can be created for specific types of traffic.
regards,
Sheikh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.