FORTIGATE - IPsec Debug
From Wiki.IT-Arts.net
SÉRIE DE COMMANDES PERMETTANT LE DEBUG D'UN VPN IPSEC
SHOW PHASE 1
FG1_X (IPSEC-VDOM) # diagnose vpn ike gateway list name PHASE1-NAME vd: IPSEC-VDOM name: PHASE1-NAME version: 1 interface: 0 addr: W.X.Y.Z:500 -> W.X.Y.Z:500 created: 596s ago IKE SA: created 1/1 established 1/1 time 30/30/30 ms IPsec SA: created 0/0 id/spi: 473654 dd6e5150700cf51d/93a0dcbaaaaa8cd4 direction: initiator status: established 596-596s ago = 30ms proposal: aes256-sha1 key: f18d6e8eec37e002-cbe6bb2c6dcba0ea-5b350a09d77dd2a9-209f1dd7937409e6 lifetime/rekey: 28800/27903 DPD sent/recv: 00000000/00000000
VOIR LES PHASES 2
# FG1_Y (root) # diagnose vpn tunnel list name PHASE2-NAME
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=PHASE2-NAME ver=2 serial=56 W.X.Y.Z:0->W.X.Y.Z:0 dst_mtu=1500
bound_if=0 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=3 child_num=0 refcnt=11 ilast=9 olast=2614 ad=/0
stat: rxp=104 txp=3 rxb=13216 txb=360
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=PHASE2-NAME proto=0 sa=1 ref=2 serial=4 auto-negotiate
src: 0:W.X.Y.Z/255.255.255.0:0
dst: 0:W.X.Y.Z/255.255.255.255:0
SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=382/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3299/3600
dec: spi=7e8873be esp=aes key=32 9d03ca1145X0ecaf0f51d01ec0472c604807c58fcb7305a9897411b10c952963
ah=sha256 key=32 34907b4901f94932b77e9f4a24fd00x4bc352eaef4318420ffbcc3472023ef45
enc: spi=317be9ff esp=aes key=32 7bdd92d3d641d5e6de0599X346928c5f442d44b432dfba976de9db5adaa3b70e
ah=sha256 key=32 4ebfc770d6dc3f2c8921e1b4x97f05a14fa763844e957b40d8deae7e8e5e64c9
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=91.199.11.249 npu_lgwy=W.X.Y.Z npu_selid=193 dec_npuid=0 enc_npuid=0
COMMAND : diagnose debug enable
PERMET L'AJOUT DU TIMESTAMP DEVANT CHAQUE LIGNE DE LOG
diagnose debug console timestamp enable
CORRESPOND À LA GATEWAY DISTANTE
diagnose vpn ike log-filter dst-addr4 [IP]
THE DIAGNOSE DEBUG APPLICATION VMTOOLS COMMAND
diagnose debug application ike -1
ACTIVE LE DEBUG EN COURS
diagnose debug disable diagnose debug reset diagnose debug console timestamp enable diagnose vpn ike log-filter dst-addr4 [IP] diagnose debug application ike -1 diagnose debug enable
DÉSACTIVE LE DEBUG EN COURS
diagnose debug disable
SUPPRIME LE DEBUG EN COURS
diagnose debug reset
KILL D'UNE PHASE 1 D'UN VPN IPSEC
diagnose vpn ike gateway clear name <phase-1-name>
KILL DE TOUTES LES PHASES 2 D'UN VPN IPSEC
diagnose vpn tunnel flush <phase-1-name>
KILL DE TOUTES LES PHASES 2 D'UN VPN IPSEC AVEC RESET NAT-T ET DPD
diagnose vpn tunnel reset tunnel-name <phase-1-name>
Strace The Flow
diagnose debug disable diagnose debug flow trace stop diagnose debug flow filter clear diagnose debug reset diagnose debug flow filter addr <REMOTE-IP> diagnose debug flow show function-name enable diagnose debug console timestamp enable diagnose debug flow trace start 9999 diagnose debug enable
Or :
diagnose debug disable diagnose debug reset diagnose debug flow filter addr <REMOTE-IP> diagnose debug flow show function-name enable diagnose debug console timestamp enable diagnose debug flow trace start 999 diagnose debug enable
