Troubleshooting – IPsec related diagnose command

Leave a reply

IPsec related diagnose command

This document provides IPsec related diagnose commands.

  1. Daemon IKE summary information list: diagnose vpn ike status

connection: 2/50

IKE SA: created 2/51 established 2/9 times 0/13/40 ms

IPsec SA: created 1/13 established 1/7 times 0/8/30 ms

  1. IPsec phase1 interface status: diagnose vpn ike gateway list

vd: root/0 name: tofgtc version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 172.16.200.3:500

created: 4313s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 0/0

id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b direction: initiator

status: established 4313-4313s ago = 10ms proposal: aes128-sha256

key: 74aa3d63d88e10ea-8a1c73b296b06578 lifetime/rekey: 86400/81786

DPD sent/recv: 00000000/00000000

vd: root/0 name: to_HQ version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 1013s ago assigned IPv4 address: 11.11.11.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 95 255791bd30c749f4/c2505db65210258b direction: initiator

status: established 1013-1013s ago = 0ms proposal: aes128-sha256

key: bb101b9127ed5844-1582fd614d5a8a33 lifetime/rekey: 86400/85086 DPD sent/recv: 00000000/00000010

  1. IPsec phase2 tunnel status: diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_ dev

proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 —-

name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0 stat: rxp=1 txp=4 rxb=152 txb=336

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=42900/43200

dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a

enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4 ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe

dec:pkts/bytes=1/84, enc:pkts/bytes=4/608

npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

  1. Packets encrypted/decrypted counter: diagnose vpn ipsec status

All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)  
         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.

NP6_1:

Encryption (encrypted/decrypted)  
                   null             : 0 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 337152 46069
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 0 1.
                   sha1             : 337152 46069
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

NPU Host Offloading:

Encryption (encrypted/decrypted)

 1.
                   null             : 0 1.
                   des              : 0 1.
                   3des             : 0 1.
                   aes              : 38 1.
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 0 1.
                   sha1             : 38 1.
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0

CP8:

Encryption (encrypted/decrypted)

 1.
                   null             : 0 1.
                   des              : 0 1.
                   3des             : 1337 1582
                   aes              : 71 11426
                   aes-gcm          : 0 1.
                   aria             : 0 1.
                   seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
                   null             : 0 1.
                   md5              : 48 28
                   sha1             : 1360 12980
                   sha256           : 0 1.
                   sha384           : 0 1.
                   sha512           : 0 1.

SOFTWARE:

Encryption (encrypted/decrypted)

         null             : 0 1.
         des              : 0 1.
         3des             : 0 1.
         aes              : 0 1.
         aes-gcm          : 0 1.
         aria             : 0 1.
         seed             : 0 1.
chacha20poly1305 : 0

Integrity (generated/validated)

 1.
         null             : 0 1.
         md5              : 0 1.
         sha1             : 0 1.
         sha256           : 0 1.
         sha384           : 0 1.
         sha512           : 0 1.
  1. diagnose debug application ike -1 l diagnose vpn ike log-filter dst-addr4 11.101.1.1 l diagnose vpn ike log-filter src-addr4 173.1.1.1

# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message… ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000

ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624 ike 0:to_HQ:101: initiator: aggressive mode get 1st response… ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:to_HQ:101: DPD negotiated

ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204 ike 0:to_HQ:101: peer supports UNITY

ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0) ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1 ike 0:to_HQ:101: negotiation result ike 0:to_HQ:101: proposal id = 1: ike 0:to_HQ:101: protocol id = ISAKMP: ike 0:to_HQ:101: trans_id = KEY_IKE. ike 0:to_HQ:101: encapsulation = IKE/none ike 0:to_HQ:101:      type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:to_HQ:101:      type=OAKLEY_HASH_ALG, val=SHA2_256.

ike 0:to_HQ:101:    type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.

ike 0:to_HQ:101: ISAKMP SA lifetime=86400 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: selected NAT-T version: RFC 3947 ike 0:to_HQ:101: NAT not detected

ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key

16:D81CAE6B2500435BFF195491E80148F3 ike 0:to_HQ:101: PSK authentication succeeded ike 0:to_HQ:101: authentication OK

ike 0:to_HQ:101: add INITIAL-CONTACT

ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75 ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92 ike 0:to_HQ:101: mode-cfg type 16521 request 0: ike 0:to_HQ:101: mode-cfg type 16522 request 0: ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92 ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 ike 0:to_HQ:101: initiating mode-cfg pull from peer ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:to_HQ:101: mode-cfg request UNITY_PFS

ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172 ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01 ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1 ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC

ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252 ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1 ike 0:to_HQ:101: mode-cfg type 28676 response

28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION ‘FortiGate-100D v6.0.3,build0200,181009 (GA)’

ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to ‘to_HQ’/58 ike 0:to_HQ: set oper up ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101: no pending Quick-Mode negotiations

ike shrank heap by 159744 bytes

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0 ike 0:to_HQ:to_HQ: using existing connection

# ike 0:to_HQ:to_HQ: config found

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-

>0:0.0.0.0/0.0.0.0:0:0

ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444 ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: my proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1:

ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP:
ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: incoming proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1: ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP: ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14 ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128) ike 0:to_HQ:101:to_HQ:259:     encapsulation = ENCAPSULATION_MODE_TUNNEL

ike 0:to_HQ:101:to_HQ:259:        type = AUTH_ALG, val=SHA1

ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101:to_HQ:259: replay protection enabled ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902. ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200. ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1 ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key

16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key

16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37 ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap

ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.