IPsec related diagnose command
This document provides IPsec related diagnose commands.
- Daemon IKE summary information list: diagnose vpn ike status
connection: 2/50
IKE SA: created 2/51 established 2/9 times 0/13/40 ms
IPsec SA: created 1/13 established 1/7 times 0/8/30 ms
- IPsec phase1 interface status: diagnose vpn ike gateway list
vd: root/0 name: tofgtc version: 1 interface: port13 42
addr: 173.1.1.1:500 -> 172.16.200.3:500
created: 4313s ago
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 0/0
id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b direction: initiator
status: established 4313-4313s ago = 10ms proposal: aes128-sha256
key: 74aa3d63d88e10ea-8a1c73b296b06578 lifetime/rekey: 86400/81786
DPD sent/recv: 00000000/00000000
vd: root/0 name: to_HQ version: 1 interface: port13 42
addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 1013s ago assigned IPv4 address: 11.11.11.1/255.255.255.252
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 95 255791bd30c749f4/c2505db65210258b direction: initiator
status: established 1013-1013s ago = 0ms proposal: aes128-sha256
key: bb101b9127ed5844-1582fd614d5a8a33 lifetime/rekey: 86400/85086 DPD sent/recv: 00000000/00000010
- IPsec phase2 tunnel status: diagnose vpn tunnel list
list all ipsec tunnel in vd 0
—-
nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_ dev
proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 —-
name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0 stat: rxp=1 txp=4 rxb=152 txb=336
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000002 itn=0
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a
enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4 ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe
dec:pkts/bytes=1/84, enc:pkts/bytes=4/608
npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2
- Packets encrypted/decrypted counter: diagnose vpn ipsec status
All ipsec crypto devices in use: NP6_0:
Encryption (encrypted/decrypted) | |
null : 0 | 1. |
des : 0 | 1. |
3des : 0 | 1. |
aes : 0 | 1. |
aes-gcm : 0 | 1. |
aria : 0 | 1. |
seed : 0 | 1. |
chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
null : 0 | 1. |
md5 : 0 | 1. |
sha1 : 0 | 1. |
sha256 : 0 | 1. |
sha384 : 0 | 1. |
sha512 : 0 | 1. |
NP6_1:
Encryption (encrypted/decrypted) | |
null : 0 | 1. |
des : 0 | 1. |
3des : 0 | 1. |
aes : 337152 | 46069 |
aes-gcm : 0 | 1. |
aria : 0 | 1. |
seed : 0 | 1. |
chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
null : 0 | 1. |
md5 : 0 | 1. |
sha1 : 337152 | 46069 |
sha256 : 0 | 1. |
sha384 : 0 | 1. |
sha512 : 0
NPU Host Offloading: Encryption (encrypted/decrypted) |
1. |
null : 0 | 1. |
des : 0 | 1. |
3des : 0 | 1. |
aes : 38 | 1. |
aes-gcm : 0 | 1. |
aria : 0 | 1. |
seed : 0 | 1. |
chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
null : 0 | 1. |
md5 : 0 | 1. |
sha1 : 38 | 1. |
sha256 : 0 | 1. |
sha384 : 0 | 1. |
sha512 : 0
CP8: Encryption (encrypted/decrypted) |
1. |
null : 0 | 1. |
des : 0 | 1. |
3des : 1337 | 1582 |
aes : 71 | 11426 |
aes-gcm : 0 | 1. |
aria : 0 | 1. |
seed : 0 | 1. |
chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
null : 0 | 1. |
md5 : 48 | 28 |
sha1 : 1360 | 12980 |
sha256 : 0 | 1. |
sha384 : 0 | 1. |
sha512 : 0 | 1. |
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 | 1. |
des : 0 | 1. |
3des : 0 | 1. |
aes : 0 | 1. |
aes-gcm : 0 | 1. |
aria : 0 | 1. |
seed : 0 | 1. |
chacha20poly1305 : 0
Integrity (generated/validated) |
1. |
null : 0 | 1. |
md5 : 0 | 1. |
sha1 : 0 | 1. |
sha256 : 0 | 1. |
sha384 : 0 | 1. |
sha512 : 0 | 1. |
- diagnose debug application ike -1 l diagnose vpn ike log-filter dst-addr4 11.101.1.1 l diagnose vpn ike log-filter src-addr4 173.1.1.1
# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message… ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000
ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624 ike 0:to_HQ:101: initiator: aggressive mode get 1st response… ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:to_HQ:101: DPD negotiated
ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204 ike 0:to_HQ:101: peer supports UNITY
ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0) ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1 ike 0:to_HQ:101: negotiation result ike 0:to_HQ:101: proposal id = 1: ike 0:to_HQ:101: protocol id = ISAKMP: ike 0:to_HQ:101: trans_id = KEY_IKE. ike 0:to_HQ:101: encapsulation = IKE/none ike 0:to_HQ:101: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:to_HQ:101: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:to_HQ:101: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.
ike 0:to_HQ:101: ISAKMP SA lifetime=86400 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: selected NAT-T version: RFC 3947 ike 0:to_HQ:101: NAT not detected
ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key
16:D81CAE6B2500435BFF195491E80148F3 ike 0:to_HQ:101: PSK authentication succeeded ike 0:to_HQ:101: authentication OK
ike 0:to_HQ:101: add INITIAL-CONTACT
ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75 ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92 ike 0:to_HQ:101: mode-cfg type 16521 request 0: ike 0:to_HQ:101: mode-cfg type 16522 request 0: ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92 ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 ike 0:to_HQ:101: initiating mode-cfg pull from peer ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:to_HQ:101: mode-cfg request UNITY_PFS
ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172 ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01 ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1 ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC
ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252 ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1 ike 0:to_HQ:101: mode-cfg type 28676 response
28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000
ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0
ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0
ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION ‘FortiGate-100D v6.0.3,build0200,181009 (GA)’
ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to ‘to_HQ’/58 ike 0:to_HQ: set oper up ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101: no pending Quick-Mode negotiations
ike shrank heap by 159744 bytes
ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0 ike 0:to_HQ:to_HQ: using existing connection
# ike 0:to_HQ:to_HQ: config found
ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-
>0:0.0.0.0/0.0.0.0:0:0
ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444 ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: my proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
ike 0:to_HQ:101:to_HQ:259: | protocol id = IPSEC_ESP: |
ike 0:to_HQ:101:to_HQ:259: | PFS DH group = 14 |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_AES_CBC (key_len = 128) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=SHA1 |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_AES_CBC (key_len = 256) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=SHA1 |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_AES_CBC (key_len = 128) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=SHA2_256 |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_AES_CBC (key_len = 256) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=SHA2_256 |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_AES_GCM_16 (key_len = 128) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=NULL |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_AES_GCM_16 (key_len = 256) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=NULL |
ike 0:to_HQ:101:to_HQ:259: | trans_id = ESP_CHACHA20_POLY1305 (key_len = 256) |
ike 0:to_HQ:101:to_HQ:259: | encapsulation = ENCAPSULATION_MODE_TUNNEL |
ike 0:to_HQ:101:to_HQ:259: | type = AUTH_ALG, val=NULL |
ike 0:to_HQ:101:to_HQ:259: incoming proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1: ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP: ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14 ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128) ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1 ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101:to_HQ:259: replay protection enabled ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902. ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200. ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1 ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key |
16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key
16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37 ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap
ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!