How to generate a valid ike debug, vpn debug and fw monitor


It is very helpful to gather the IKE information in both directions by having both endpoints initiate communications at different times so you can see what each machine proposes to the other and then reconcile the differences. Generate debugs for ike and vpnd on both endpoints.

These debugs are valid for VPN connections between SecureClient and Security Gateways, as well as for site to site VPN connections.
Note: This article is also relevant for site to site VPN with 3rd Part Security Gateways.

Follow the steps below to generate debug information:

Note: For SecurePlatform you must be logged in as Expert.
  1. Initiate vpn debug on both Security Gateways from the CLI:

    # vpn debug trunc

    Notes:

    • # vpn debug trunc initiates both vpn debug and ike debug. # vpn debug on only initiates vpn debug.
    • If you need the level of detail provided by TDERROR_ALL_ALL=5, then you need to run: vpn debug on TDERROR_ALL_ALL=5.
  2. Initiate packet capture on both Security Gateways (or tcpdump, or Wireshark pcap):

    Note: You can press "Alt + F1" to open a second terminal, or open a second ssh session, or (for Windows) open a second command prompt.

    # fw monitor -e "accept;" -o monitor.out

    or

    fw monitor -e "accept sport=500 or dport=500;" -o monitor.out

    Note: Since VPN-1 Pro NGX R60, you can also run

    # fw monitor -e "accept port(500) or port(4500);" -o monitor.out

    or

    # vpn debug mon

    If you run # vpn debug mon, the output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear. Whereas, in monitor.out, all the IKE payloads are encrypted.
  3. Run vpn tu.

    Note: Before running vpn tu, kill all traffic over the VPN.
  4. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)".
  5. Enter your remote Security Gateway IP address.
  6. Exit the utility.

    Important This procedure closes open VPN tunnels. It may be useful, in that, the next time communication is attempted, you will capture the VPN tunnel creation information. Please be aware that existing VPN tunnels with this remote peer will be closed and will have to be reestablished. This is especially important in a Production environment.
  7. Reproduce the issue, attempt to connect FROM YOUR NETWORK to a device in the remote encryption domain. This initiates the tunnel.
  8. Run vpn tu.

    Note: Before running vpn tu, kill all traffic over the VPN.
  9. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)".
  10. Enter your remote Security Gateway IP address.
  11. Exit the utility.
  12. Reproduce the issue, attempt to connect FROM THE REMOTE NETWORK to a device in the local encryption domain. This initiates the tunnel.
  13. Stop vpn debug on both Security Gateways:

    # vpn debug off

    # vpn debug ikeoff


    Notes:

    • If you used vpn debug on TDERROR_ALL_ALL=5, you only have to run # vpn debug off.
    • If you run # vpn debug mon, you need to run # vpn debug moff.
  14. Stop packet capture by pressing "CTRL+C".
  15. You can verify below logs using dubug tools

    • $FWDIR/log/ike.elg
    • $FWDIR/log/vpnd.elg
    • monitor.out
    • ikemonitor.snoop.

Comments

0 Responses to "How to generate a valid ike debug, vpn debug and fw monitor"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews