FORTIGATE - IPsec Debug: Difference between revisions

From Wiki.IT-Arts.net
imported>Z
(Created page with "Category:Post-It SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC == SHOW PHASE 1 == <nowiki> FG1_X (IPSEC-VDOM) # diagnose vpn ike gateway list name PHASE1-NA...")
 
imported>Z
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:




 
== Show Phase 1 ==
== SHOW PHASE 1 ==


  <nowiki>
  <nowiki>
Line 30: Line 29:




== VOIR LES PHASES 2 ==
== Show Phase 2 ==


  <nowiki>
  <nowiki>
Line 60: Line 59:
== COMMAND : diagnose debug enable ==
== COMMAND : diagnose debug enable ==


The '''debug''' command step by step :




=== PERMET L'AJOUT DU TIMESTAMP DEVANT CHAQUE LIGNE DE LOG ===
 
=== Show Log With Timestamp ===


  <nowiki>
  <nowiki>
Line 69: Line 70:




=== CORRESPOND À LA GATEWAY DISTANTE ===
=== Set the protocol ike and the remote IP ===


  <nowiki>
  <nowiki>
Line 76: Line 77:




=== THE DIAGNOSE DEBUG APPLICATION VMTOOLS COMMAND ===
=== Enable IKE debugging mode ===


  <nowiki>
  <nowiki>
Line 83: Line 84:




=== ACTIVE LE DEBUG EN COURS ===
=== Launching The Debug Session ===
 
<nowiki>
diagnose debug enable</nowiki>
 
 
 
=== All The Command Lines In One Bloc ===


  <nowiki>
  <nowiki>
Line 95: Line 103:




=== DÉSACTIVE LE DEBUG EN COURS ===
----
<bloquote>
!!! DON'T FORGET TO STOP THE DEBUGGING SESSION TO NOT HEXAUST THE PROCESSOR(S)
<bloquote>
----
 
 
 
=== Disable The Running Debug Session ===


  <nowiki>
  <nowiki>
Line 101: Line 117:




=== SUPPRIME LE DEBUG EN COURS ===
=== Reset The Debug Session ===


  <nowiki>
  <nowiki>
Line 108: Line 124:




== KILL D'UNE PHASE 1 D'UN VPN IPSEC ==
== Kill An IPsec Phase 1 ==


  <nowiki>
  <nowiki>
Line 115: Line 131:




== KILL DE TOUTES LES PHASES 2 D'UN VPN IPSEC ==
== Kill One Phase 2 Of An IPsec VPN ==


  <nowiki>
  <nowiki>
diagnose vpn tunnel flush <phase-1-name></nowiki>
diagnose vpn tunnel flush <phase-2-name></nowiki>






== KILL DE TOUTES LES PHASES 2 D'UN VPN IPSEC AVEC RESET NAT-T ET DPD ==
== Kill All Phase 2 Of An IPsec VPN With NAT-T And DPD resetting ==


  <nowiki>
  <nowiki>

Latest revision as of 10:44, 1 May 2024


SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC


Show Phase 1

FG1_X (IPSEC-VDOM) # diagnose vpn ike gateway list name PHASE1-NAME

vd: IPSEC-VDOM
name: PHASE1-NAME
version: 1
interface:  0
addr: W.X.Y.Z:500 -> W.X.Y.Z:500
created: 596s ago
IKE SA: created 1/1  established 1/1  time 30/30/30 ms
IPsec SA: created 0/0

  id/spi: 473654 dd6e5150700cf51d/93a0dcbaaaaa8cd4
  direction: initiator
  status: established 596-596s ago = 30ms
  proposal: aes256-sha1
  key: f18d6e8eec37e002-cbe6bb2c6dcba0ea-5b350a09d77dd2a9-209f1dd7937409e6
  lifetime/rekey: 28800/27903
  DPD sent/recv: 00000000/00000000



Show Phase 2

# FG1_Y (root) # diagnose vpn tunnel list name PHASE2-NAME
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=PHASE2-NAME ver=2 serial=56 W.X.Y.Z:0->W.X.Y.Z:0 dst_mtu=1500
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=3 child_num=0 refcnt=11 ilast=9 olast=2614 ad=/0
stat: rxp=104 txp=3 rxb=13216 txb=360
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=PHASE2-NAME proto=0 sa=1 ref=2 serial=4 auto-negotiate
  src: 0:W.X.Y.Z/255.255.255.0:0
  dst: 0:W.X.Y.Z/255.255.255.255:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=382/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3299/3600
  dec: spi=7e8873be esp=aes key=32 9d03ca1145X0ecaf0f51d01ec0472c604807c58fcb7305a9897411b10c952963
       ah=sha256 key=32 34907b4901f94932b77e9f4a24fd00x4bc352eaef4318420ffbcc3472023ef45
  enc: spi=317be9ff esp=aes key=32 7bdd92d3d641d5e6de0599X346928c5f442d44b432dfba976de9db5adaa3b70e
       ah=sha256 key=32 4ebfc770d6dc3f2c8921e1b4x97f05a14fa763844e957b40d8deae7e8e5e64c9
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=91.199.11.249 npu_lgwy=W.X.Y.Z npu_selid=193 dec_npuid=0 enc_npuid=0


COMMAND : diagnose debug enable

The debug command step by step :


Show Log With Timestamp

diagnose debug console timestamp enable


Set the protocol ike and the remote IP

diagnose vpn ike log-filter dst-addr4 [IP]


Enable IKE debugging mode

diagnose debug application ike -1


Launching The Debug Session

diagnose debug enable


All The Command Lines In One Bloc

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 [IP]
diagnose debug application ike -1
diagnose debug enable



<bloquote> !!! DON'T FORGET TO STOP THE DEBUGGING SESSION TO NOT HEXAUST THE PROCESSOR(S) <bloquote>



Disable The Running Debug Session

diagnose debug disable


Reset The Debug Session

diagnose debug reset


Kill An IPsec Phase 1

diagnose vpn ike gateway clear name <phase-1-name>


Kill One Phase 2 Of An IPsec VPN

diagnose vpn tunnel flush <phase-2-name>


Kill All Phase 2 Of An IPsec VPN With NAT-T And DPD resetting

diagnose vpn tunnel reset tunnel-name <phase-1-name>


Strace The Flow

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter addr <REMOTE-IP>
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable

Or :

diagnose debug disable
diagnose debug reset
diagnose debug flow filter addr <REMOTE-IP>
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable