Tools for Troubleshooting Fortigate IPSEC Tunnels
How to filter IKE & IPSec negotiation output in FortiOS 4.0
It is possible to debug IPSec in FortiOS 3.0 using the command:
# diagnose debug app ike -1 X.X.X.X
where X.X.X.X is the Remote Gateway IP.
a. In FortiOS 4.0 the filter must be configured separately:
# diagnose vpn ike log-filter?
clear erase the current filter
dst-addr4 the IPv4 destination address range to filter by
dst-addr6 the IPv6 destination address range to filter by
dst-port the destination port range to filter by
interface interface that IKE connection is negotiated over
list display the current filter
name the phase1 name to filter by
negate negate the specified filter parameter
src-addr4 the IPv4 source address range to filter by
src-addr6 the IPv6 source address range to filter by
src-port the source port range to filter by
vd index of virtual domain. 0 matches all
b. Once the filter has been set, IKE debugs can be started using the commands:
# diag debug application ike -1
# diag debug enable
Other useful commands to list ike and ipsec SA:
List ike security associations (phase1):
# diag vpn gateway list
List IPSEC security associations (phase2):
# diag vpn tunnel list
