Академический Документы
Профессиональный Документы
Культура Документы
troubleshooting
In IPSEC topic, I am continuing with traceoptions and troubleshooting section. In this post, I will
try to explain how I troubleshoot IPSEC VPNs mostly initial setup.
IPsec VPNs
Multipoint tunnels
Traceoptions
On-demand tunnels
Dynamic VPNs
Certificate-based VPNs
PKI
NAT
Implementation of NAT
Source NAT
Destination NAT
Static NAT
One of the challenging parts of JNCIE-SEC must be the troubleshooting part for which I need to
understand under what sort of problems what type of error logs are generated. Because of this, I
enabled IKE traceoptions and simulated several type of possible problems and observed the error
logs.
But first lets see how a successful IKE Phase 1 and IKE Phase 2 log looks like;
PS: All errors below are between ike peers 192.168.179.2 and 212.45.64.2
IKE & IPSEC SUCCESSFUL LOG
Phase 1
[Aug
22 20:40:14]ike_calc_mac: Star
[Aug 22 20:40:14]ike_st_i_cert:
[Aug 22 20:40:14]ike_st_i_priva
1
2
3
4
[Aug 22 20:40:14]ike_st_o_all_done: MESSAGE: Phase 1 { 0xe4d65d2e a7bf1c17 0x498aaa01 01d0dd21 } / 00000000, version = 1.0, xchg = Identity protect, auth_method =
Pre shared keys, Initiator, cipher = 3des-cbc, hash = sha1, prf = hmac-s
ha1
[Aug 22 20:40:14]192.168.179.2:500 (Initiator) <-> 212.45.64.2:500 { e4d65d2e a7bf1c17 5 498aaa01 01d0dd21 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method
6 = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac7 sha
8 [Aug 22 20:40:14]ike_send_notify: Connected, SA = { e4d65d2e a7bf1c17 - 498aaa01
9 01d0dd21}, nego = -1
10 [Aug 22 20:40:14]iked_pm_ike_sa_done: local:192.168.179.2, remote:212.45.64.2 IKEv1
11 [Aug 22 20:40:14]IKE negotiation done for local:192.168.179.2, remote:212.45.64.2 IKEv1
12 with status: Error ok
13 [Aug 22 20:40:14]Added (spi=0xaebf2827, protocol=0) entry to the spi table
14 [Aug 22 20:40:14]Added (spi=0x3037b766, protocol=0) entry to the spi table
15 [Aug 22 20:40:14]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
16 [Aug 22 20:40:14]ike_sa_find_ip_port: Remote = all:500, Found SA = { e4d65d2e a7bf1c17
17 - 498aaa01 01d0dd21}
18 [Aug 22 20:40:14]ike_alloc_negotiation: Start, SA = { e4d65d2e a7bf1c17 - 498aaa01
19 01d0dd21}
20 [Aug 22 20:40:14]ssh_ike_connect_ipsec: SA = { e4d65d2e a7bf1c17 - 498aaa01
21 01d0dd21}, nego = 0
22 [Aug 22 20:40:14]ike_init_qm_negotiation: Start, initiator = 1, message_id = 5aa9f0f2
23 [Aug 22 20:40:14]ike_st_o_qm_hash_1: Start
24 [Aug 22 20:40:14]ike_st_o_qm_sa_proposals: Start
25 [Aug 22 20:40:14]ike_st_o_qm_nonce: Start
26 [Aug 22 20:40:14]ike_policy_reply_qm_nonce_data_len: Start
27 [Aug 22 20:40:14]ike_st_o_qm_optional_ke: Start
28 [Aug 22 20:40:14]ike_st_o_qm_optional_ids: Start
[Aug 22 20:40:14]ike_st_qm_optional_id: Start
[Aug 22 20:40:14]ike_st_qm_optional_id: Start
[Aug 22 20:40:14]ike_st_o_private: Start
[Aug 22 20:40:14]Construction NHTB payload for local:192.168.179.2, remote:212.45.64.2
IKEv1 P1 SA index 8160872 sa-cfg vpn-hub
You can see the IKE negotiation done log in here.
Phase 2
[Aug
22 20:40:14]ike_policy_reply_p
[Aug 22 20:40:14]ike_st_o_encr
[Aug 22 20:40:14]<none>:500 (I
1
2
3
4
5
6
7
8
1 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 2 1dd10036 f9452830 [0] / 0x28e022de } Info; Notification data has attribute list
3 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 4 1dd10036 f9452830 [0] / 0x28e022de } Info; Notify message version = 1
5 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 6 1dd10036 f9452830 [0] / 0x28e022de } Info; Offending payload type = 145
7 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 8 1dd10036 f9452830 [0] / 0x28e022de } Info; Offending payload data offset = 0
9 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 10 1dd10036 f9452830 [0] / 0x28e022de } Info; Error text = Incorrect pre-shared key (Invalid
11 next payload value)
12 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 13 1dd10036 f9452830 [0] / 0x28e022de } Info; Offending message id = 0x00000000
14 [Aug 22 20:49:08]<none>:500 (Responder) <-> 212.45.64.2:500 { 287c0904 ed0108cf 15 1dd10036 f9452830 [0] / 0x28e022de } Info; Received notify err = Invalid payload type (1)
16 to isakmp sa, delete it
17 [Aug 22 20:49:08]ike_st_i_private: Start
18 [Aug 22 20:49:08]ike_send_notify: Connected, SA = { 287c0904 ed0108cf - 1dd10036
19 f9452830}, nego = 0
20 [Aug 22 20:49:08]ike_delete_negotiation: Start, SA = { 287c0904 ed0108cf - 1dd10036
21 f9452830}, nego = 0
22 [Aug 22 20:49:08]ike_free_negotiation_info: Start, nego = 0
23 [Aug 22 20:49:08]ike_free_negotiation: Start, nego = 0
24 [Aug 22 20:49:08]ike_remove_callback: Start, delete SA = { 287c0904 ed0108cf - 1dd10036
25 f9452830}, nego = -1
26 [Aug 22 20:49:08]192.168.179.2:500 (Initiator) <-> 212.45.64.2:500 { 287c0904 ed0108cf 1dd10036 f9452830 [-1] / 0x00000000 } IP; Connection got error = 1, calling callback
[Aug 22 20:49:08]ike_delete_negotiation: Start, SA = { 287c0904 ed0108cf - 1dd10036
f9452830}, nego = -1
[Aug 22 20:49:08]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel
table
[Aug 22 20:49:08]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE
tunnel table
[Aug 22 20:49:08]ike_sa_delete: Start, SA = { 287c0904 ed0108cf - 1dd10036 f9452830 }
[Aug 22 20:49:08]ike_free_negotiation_isakmp: Start, nego = -1
dh-group
authentication algorithm
encryption algorithm
WARNING!!!: In addition to these mismatches, you will get the same error under the following
conditions
if st0.0 interface isnt created with family inet and/or assigned to a security zone
[Aug
22 20:53:10]ike_st_i_n: Start, d
proposal chosen (14), spi[0..16
800c0001 00060022 ...
0d31547b 7e819258 [0] / 0xf638af05 } Info; Received notify err = No proposal chosen (14)
to isakmp sa, delete it
[Aug 22 20:53:10]ike_st_i_private: Start
[Aug 22 20:53:10]ike_send_notify: Connected, SA = { f39ace76 bde7864a - 0d31547b
7e819258}, nego = 0
[Aug 22 20:53:10]ike_delete_negotiation: Start, SA = { f39ace76 bde7864a - 0d31547b
7e819258}, nego = 0
12
[Aug 22 20:53:10]ike_free_negotiation_info: Start, nego = 0
13
[Aug 22 20:53:10]ike_free_negotiation: Start, nego = 0
14
[Aug 22 20:53:10]ike_remove_callback: Start, delete SA = { f39ace76 bde7864a - 0d31547b
15
7e819258}, nego = -1
16
[Aug 22 20:53:10]192.168.179.2:500 (Initiator) <-> 212.45.64.2:500 { f39ace76 bde7864a 17
0d31547b 7e819258 [-1] / 0x00000000 } IP; Connection got error = 14, calling callback
18
[Aug 22 20:53:10]ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
19
[Aug 22 20:53:10]ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
20
[Aug 22 20:53:10]ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
[Aug 22 20:53:10]IKE negotiation fail for local:192.168.179.2, remote:212.45.64.2 IKEv1
with status: No proposal chosen
[Aug 22 20:53:10] IKEv1 Error : No proposal chosen
[Aug 22 20:53:10]IPSec Rekey for SPI 0x0 failed
[Aug 22 20:53:10]IPSec SA done callback called for sa-cfg vpn-hub local:192.168.179.2,
remote:212.45.64.2 IKEv1 with status No proposal chosen
ERROR 3: IKEv1 Error : Timeout
If IKE port 500 isnt reachable at the peer, you will get an error like this. Another problem you
might encounter is that for example, you forget to enable IKE service in a zone only in one peer
(e.g Peer B) but Peer A is still allowing IKE. This means peer A cant be the initiator but only
responder. Because A cant connect to IKE port but B can.
[Aug
22 20:59:08]KMD_INTERNAL_E
received
[Aug 22 20:59:13]iked_spu_ha_
Authentication algorithm
Encryption algorithm
Note: I had thought that ipsec lifetime is also something that has to match but my tests showed a
different result. As far as I can see peers agree on the lowest lifetime configured i.e if peer A has
3600secs and peer B has 7200secs, they agree on 3600secs.
FLOW Troubleshooting
So far I have done IKE troubleshooting. Now I will do some flow troubleshooting.
I enable traceoptions for the traffic that I am going to generate.
[edit]
root@J23-London# show secu
traceoptions {
file ipsec-traf.log size 5m;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[edit]
root@J23-London# show security flow
traceoptions {
file ipsec-traf.log size 5m;
flag basic-datapath;
packet-filter outgoing-filter {
protocol icmp;
source-prefix 55.55.55.1/32;
destination-prefix 212.45.63.1/32;
}
packet-filter incoming-filter {
protocol icmp;
source-prefix 212.45.63.1/32;
destination-prefix 55.55.55.1/32;
}
packet-filter outgoing-esp {
protocol esp;
source-prefix 192.168.179.2/32;
destination-prefix 212.45.64.2/32;
}
}
First two packet filters will show us clear text packets but outgoing-esp is for the encrypted
packets
Lets send 1 ICMP packet with 1000 bytes (1008 bytes with ICMP header)
root@J23-London> ping 212.45
PING 212.45.63.1 (212.45.63.1)
1008 bytes from 212.45.63.1: ic
4
5 --- 212.45.63.1 ping statistics --6 1 packets transmitted, 1 packets received, 0% packet loss
7 round-trip min/avg/max/stddev = 46.204/46.204/46.204/0.000 ms
Now examine the file ipsec-traf.log
outgoing-filter match
Aug
22 20:01:06
20:01:06.574883:CID-0:RT:<55.5
matched filter outgoing-filter:
packet with size 1028 (extra 20 byte from IP header) with identification number 3812
matches: packet [1028] ipid = 3812
Tunnel id is identified for the traffic flow_first_get_tun_info: tunnel out 0x577cf0ec, tun
id 131073
It hits the flow session with id 1 which is a one direction ESP session
root@J23-London> show secu
Session ID: 1, Policy name: N/A,
In: 212.45.64.2/58759 --> 192.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
I hope to have covered various scenarios in this post related to traceoptions and
troubleshooting of IPSEC VPN sessions. In the future posts, I will do some
troubleshooting if required.
If you have any other error you have received which isnt covered here, please do share.
DISCLAIMER: Views expressed in this blog are my own and do not necessarily reflect
those of Juniper Networks