FORTIGATE - IPsec Debug: Difference between revisions

From Wiki.IT-Arts.net
imported>Z
No edit summary
imported>Z
No edit summary
 
Line 1: Line 1:
 
[[Category:Post-It]]


SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC
SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC

Latest revision as of 10:44, 1 May 2024


SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC


Show Phase 1

FG1_X (IPSEC-VDOM) # diagnose vpn ike gateway list name PHASE1-NAME

vd: IPSEC-VDOM
name: PHASE1-NAME
version: 1
interface:  0
addr: W.X.Y.Z:500 -> W.X.Y.Z:500
created: 596s ago
IKE SA: created 1/1  established 1/1  time 30/30/30 ms
IPsec SA: created 0/0

  id/spi: 473654 dd6e5150700cf51d/93a0dcbaaaaa8cd4
  direction: initiator
  status: established 596-596s ago = 30ms
  proposal: aes256-sha1
  key: f18d6e8eec37e002-cbe6bb2c6dcba0ea-5b350a09d77dd2a9-209f1dd7937409e6
  lifetime/rekey: 28800/27903
  DPD sent/recv: 00000000/00000000



Show Phase 2

# FG1_Y (root) # diagnose vpn tunnel list name PHASE2-NAME
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=PHASE2-NAME ver=2 serial=56 W.X.Y.Z:0->W.X.Y.Z:0 dst_mtu=1500
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=3 child_num=0 refcnt=11 ilast=9 olast=2614 ad=/0
stat: rxp=104 txp=3 rxb=13216 txb=360
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=PHASE2-NAME proto=0 sa=1 ref=2 serial=4 auto-negotiate
  src: 0:W.X.Y.Z/255.255.255.0:0
  dst: 0:W.X.Y.Z/255.255.255.255:0
  SA:  ref=3 options=18227 type=00 soft=0 mtu=1438 expire=382/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3299/3600
  dec: spi=7e8873be esp=aes key=32 9d03ca1145X0ecaf0f51d01ec0472c604807c58fcb7305a9897411b10c952963
       ah=sha256 key=32 34907b4901f94932b77e9f4a24fd00x4bc352eaef4318420ffbcc3472023ef45
  enc: spi=317be9ff esp=aes key=32 7bdd92d3d641d5e6de0599X346928c5f442d44b432dfba976de9db5adaa3b70e
       ah=sha256 key=32 4ebfc770d6dc3f2c8921e1b4x97f05a14fa763844e957b40d8deae7e8e5e64c9
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=91.199.11.249 npu_lgwy=W.X.Y.Z npu_selid=193 dec_npuid=0 enc_npuid=0


COMMAND : diagnose debug enable

The debug command step by step :


Show Log With Timestamp

diagnose debug console timestamp enable


Set the protocol ike and the remote IP

diagnose vpn ike log-filter dst-addr4 [IP]


Enable IKE debugging mode

diagnose debug application ike -1


Launching The Debug Session

diagnose debug enable


All The Command Lines In One Bloc

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 [IP]
diagnose debug application ike -1
diagnose debug enable



<bloquote> !!! DON'T FORGET TO STOP THE DEBUGGING SESSION TO NOT HEXAUST THE PROCESSOR(S) <bloquote>



Disable The Running Debug Session

diagnose debug disable


Reset The Debug Session

diagnose debug reset


Kill An IPsec Phase 1

diagnose vpn ike gateway clear name <phase-1-name>


Kill One Phase 2 Of An IPsec VPN

diagnose vpn tunnel flush <phase-2-name>


Kill All Phase 2 Of An IPsec VPN With NAT-T And DPD resetting

diagnose vpn tunnel reset tunnel-name <phase-1-name>


Strace The Flow

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter addr <REMOTE-IP>
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable

Or :

diagnose debug disable
diagnose debug reset
diagnose debug flow filter addr <REMOTE-IP>
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable