FORTIGATE - IPsec Debug: Difference between revisions
From Wiki.IT-Arts.net
imported>Z (Created page with "Category:Post-It SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC == SHOW PHASE 1 == <nowiki> FG1_X (IPSEC-VDOM) # diagnose vpn ike gateway list name PHASE1-NA...") |
imported>Z No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
== Show Phase 1 == | |||
== | |||
<nowiki> | <nowiki> | ||
Line 30: | Line 29: | ||
== | == Show Phase 2 == | ||
<nowiki> | <nowiki> | ||
Line 60: | Line 59: | ||
== COMMAND : diagnose debug enable == | == COMMAND : diagnose debug enable == | ||
The '''debug''' command step by step : | |||
=== | |||
=== Show Log With Timestamp === | |||
<nowiki> | <nowiki> | ||
Line 69: | Line 70: | ||
=== | === Set the protocol ike and the remote IP === | ||
<nowiki> | <nowiki> | ||
Line 76: | Line 77: | ||
=== | === Enable IKE debugging mode === | ||
<nowiki> | <nowiki> | ||
Line 83: | Line 84: | ||
=== | === Launching The Debug Session === | ||
<nowiki> | |||
diagnose debug enable</nowiki> | |||
=== All The Command Lines In One Bloc === | |||
<nowiki> | <nowiki> | ||
Line 95: | Line 103: | ||
=== | ---- | ||
<bloquote> | |||
!!! DON'T FORGET TO STOP THE DEBUGGING SESSION TO NOT HEXAUST THE PROCESSOR(S) | |||
<bloquote> | |||
---- | |||
=== Disable The Running Debug Session === | |||
<nowiki> | <nowiki> | ||
Line 101: | Line 117: | ||
=== | === Reset The Debug Session === | ||
<nowiki> | <nowiki> | ||
Line 108: | Line 124: | ||
== | == Kill An IPsec Phase 1 == | ||
<nowiki> | <nowiki> | ||
Line 115: | Line 131: | ||
== | == Kill One Phase 2 Of An IPsec VPN == | ||
<nowiki> | <nowiki> | ||
diagnose vpn tunnel flush <phase- | diagnose vpn tunnel flush <phase-2-name></nowiki> | ||
== | == Kill All Phase 2 Of An IPsec VPN With NAT-T And DPD resetting == | ||
<nowiki> | <nowiki> |
Latest revision as of 10:44, 1 May 2024
SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC
Show Phase 1
FG1_X (IPSEC-VDOM) # diagnose vpn ike gateway list name PHASE1-NAME vd: IPSEC-VDOM name: PHASE1-NAME version: 1 interface: 0 addr: W.X.Y.Z:500 -> W.X.Y.Z:500 created: 596s ago IKE SA: created 1/1 established 1/1 time 30/30/30 ms IPsec SA: created 0/0 id/spi: 473654 dd6e5150700cf51d/93a0dcbaaaaa8cd4 direction: initiator status: established 596-596s ago = 30ms proposal: aes256-sha1 key: f18d6e8eec37e002-cbe6bb2c6dcba0ea-5b350a09d77dd2a9-209f1dd7937409e6 lifetime/rekey: 28800/27903 DPD sent/recv: 00000000/00000000
Show Phase 2
# FG1_Y (root) # diagnose vpn tunnel list name PHASE2-NAME list ipsec tunnel by names in vd 0 ------------------------------------------------------ name=PHASE2-NAME ver=2 serial=56 W.X.Y.Z:0->W.X.Y.Z:0 dst_mtu=1500 bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0 proxyid_num=3 child_num=0 refcnt=11 ilast=9 olast=2614 ad=/0 stat: rxp=104 txp=3 rxb=13216 txb=360 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=PHASE2-NAME proto=0 sa=1 ref=2 serial=4 auto-negotiate src: 0:W.X.Y.Z/255.255.255.0:0 dst: 0:W.X.Y.Z/255.255.255.255:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=382/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=3299/3600 dec: spi=7e8873be esp=aes key=32 9d03ca1145X0ecaf0f51d01ec0472c604807c58fcb7305a9897411b10c952963 ah=sha256 key=32 34907b4901f94932b77e9f4a24fd00x4bc352eaef4318420ffbcc3472023ef45 enc: spi=317be9ff esp=aes key=32 7bdd92d3d641d5e6de0599X346928c5f442d44b432dfba976de9db5adaa3b70e ah=sha256 key=32 4ebfc770d6dc3f2c8921e1b4x97f05a14fa763844e957b40d8deae7e8e5e64c9 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=91.199.11.249 npu_lgwy=W.X.Y.Z npu_selid=193 dec_npuid=0 enc_npuid=0
COMMAND : diagnose debug enable
The debug command step by step :
Show Log With Timestamp
diagnose debug console timestamp enable
Set the protocol ike and the remote IP
diagnose vpn ike log-filter dst-addr4 [IP]
Enable IKE debugging mode
diagnose debug application ike -1
Launching The Debug Session
diagnose debug enable
All The Command Lines In One Bloc
diagnose debug disable diagnose debug reset diagnose debug console timestamp enable diagnose vpn ike log-filter dst-addr4 [IP] diagnose debug application ike -1 diagnose debug enable
<bloquote> !!! DON'T FORGET TO STOP THE DEBUGGING SESSION TO NOT HEXAUST THE PROCESSOR(S) <bloquote>
Disable The Running Debug Session
diagnose debug disable
Reset The Debug Session
diagnose debug reset
Kill An IPsec Phase 1
diagnose vpn ike gateway clear name <phase-1-name>
Kill One Phase 2 Of An IPsec VPN
diagnose vpn tunnel flush <phase-2-name>
Kill All Phase 2 Of An IPsec VPN With NAT-T And DPD resetting
diagnose vpn tunnel reset tunnel-name <phase-1-name>
Strace The Flow
diagnose debug disable diagnose debug flow trace stop diagnose debug flow filter clear diagnose debug reset diagnose debug flow filter addr <REMOTE-IP> diagnose debug flow show function-name enable diagnose debug console timestamp enable diagnose debug flow trace start 9999 diagnose debug enable
Or :
diagnose debug disable diagnose debug reset diagnose debug flow filter addr <REMOTE-IP> diagnose debug flow show function-name enable diagnose debug console timestamp enable diagnose debug flow trace start 999 diagnose debug enable