Tools for Troubleshooting Fortigate IPSEC Tunnels
March 5th, 2010
It is possible to debug IPSec in FortiOS 3.0 using the command:
FGT_FRW01# diagnose debug app ike -1 X.X.X.X FGT_FRW01# diag debug enable
where X.X.X.X is the Remote Gateway IP.
In FortiOS 4.0 the filter must be configured separately:
FGT_FRW01# diagnose vpn ike log-filter ? clear erase the current filter dst-addr4 the IPv4 destination address range to filter by dst-addr6 the IPv6 destination address range to filter by dst-port the destination port range to filter by interface interface that IKE connection is negotiated over list display the current filter name the phase1 name to filter by negate negate the specified filter parameter src-addr4 the IPv4 source address range to filter by src-addr6 the IPv6 source address range to filter by src-port the source port range to filter by vd index of virtual domain. 0 matches all
Once the filter has been set, IKE debugs can be started using the commands:
FGT_FRW01# diag debug application ike -1 FGT_FRW01# diag debug enable
Other useful commands to list ike and ipsec SA:
List ike security associations (phase1):
FGT_FRW01# diag vpn gateway listList IPSEC security associations (phase2):
FGT_FRW01# diag vpn tunnel list
Nice article…I had to try and remember this last week, and it would have been nice to have seen this then. Oh well, good work.
When I type “diagnose debug app ike -1 X.X.X.X” at the command line, nothing happens.
Am I missing something?
Josh,
After you set up the debug program with the above command, you have to enable the logging output to the console with
FGT_FRW01# diag debug enableI have added that to the post to eliminate this confusion.