Fortinet black logo

Administration Guide

IPsec related diagnose commands

IPsec related diagnose commands

This section provides IPsec related diagnose commands.

  • Daemon IKE summary information list: diagnose vpn ike status
    connection: 2/50
    IKE SA: created 2/51  established 2/9  times 0/13/40 ms
    IPsec SA: created 1/13  established 1/7  times 0/8/30 ms
  • IPsec phase1 interface status: diagnose vpn ike gateway list
    vd: root/0
    name: tofgtc
    version: 1
    interface: port13 42
    addr: 173.1.1.1:500 -> 172.16.200.3:500
    created: 4313s ago
    IKE SA: created 1/1  established 1/1  time 10/10/10 ms
    IPsec SA: created 0/0
    
      id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b
      direction: initiator
      status: established 4313-4313s ago = 10ms
      proposal: aes128-sha256
      key: 74aa3d63d88e10ea-8a1c73b296b06578
      lifetime/rekey: 86400/81786
      DPD sent/recv: 00000000/00000000
    
    vd: root/0
    name: to_HQ
    version: 1
    interface: port13 42
    addr: 173.1.1.1:500 -> 11.101.1.1:500
    created: 1013s ago
    assigned IPv4 address: 11.11.11.1/255.255.255.252
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    
      id/spi: 95 255791bd30c749f4/c2505db65210258b
      direction: initiator
      status: established 1013-1013s ago = 0ms
      proposal: aes128-sha256
      key: bb101b9127ed5844-1582fd614d5a8a33
      lifetime/rekey: 86400/85086
      DPD sent/recv: 00000000/00000010
  • IPsec phase2 tunnel status: diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ----
    nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0 tun_id=0.0.0.0
    bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_dev 
    proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0
    stat: rxp=0 txp=0 rxb=0 txb=0
    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    run_tally=0
    ----
    name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0 tun_id=11.101.1.1
    bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu 
    proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0
    stat: rxp=1 txp=4 rxb=152 txb=336
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048
           seqno=5 esn=0 replaywin_lastseq=00000002 itn=0
      life: type=01 bytes=0/0 timeout=42900/43200
      dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f
           ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a
      enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4
           ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe
      dec:pkts/bytes=1/84, enc:pkts/bytes=4/608
      npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2
  • Packets encrypted/decrypted counter: diagnose vpn ipsec status
    All ipsec crypto devices in use:
    NP6_0:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NP6_1:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 337152           46069           
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 337152           46069           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NPU Host Offloading:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 38                1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 38                1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    CP8:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 1337             1582            
            aes              : 71               11426           
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 48               28              
            sha1             : 1360             12980           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    SOFTWARE:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
  • diagnose debug application ike -1
    • diagnose vpn ike log-filter dst-addr4 11.101.1.1
    • diagnose vpn ike log-filter src-addr4 173.1.1.1
    # ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message...
    ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000
    ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624
    ike 0:to_HQ:101: initiator: aggressive mode get 1st response...
    ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F
    ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100
    ike 0:to_HQ:101: DPD negotiated
    ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
    ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204
    ike 0:to_HQ:101: peer supports UNITY
    ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000
    ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0)
    ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
    ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
    ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1
    ike 0:to_HQ:101: negotiation result
    ike 0:to_HQ:101: proposal id = 1:
    ike 0:to_HQ:101:   protocol id = ISAKMP:
    ike 0:to_HQ:101:      trans_id = KEY_IKE.
    ike 0:to_HQ:101:      encapsulation = IKE/none
    ike 0:to_HQ:101:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
    ike 0:to_HQ:101:         type=OAKLEY_HASH_ALG, val=SHA2_256.
    ike 0:to_HQ:101:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
    ike 0:to_HQ:101:         type=OAKLEY_GROUP, val=MODP2048.
    ike 0:to_HQ:101: ISAKMP SA lifetime=86400
    ike 0:to_HQ:101: received NAT-D payload type 20
    ike 0:to_HQ:101: received NAT-D payload type 20
    ike 0:to_HQ:101: selected NAT-T version: RFC 3947
    ike 0:to_HQ:101: NAT not detected 
    ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key 16:D81CAE6B2500435BFF195491E80148F3
    ike 0:to_HQ:101: PSK authentication succeeded
    ike 0:to_HQ:101: authentication OK
    ike 0:to_HQ:101: add INITIAL-CONTACT
    ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75
    ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92
    ike 0:to_HQ:101: mode-cfg type 16521 request 0:
    ike 0:to_HQ:101: mode-cfg type 16522 request 0:
    ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92
    ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295
    ike 0:to_HQ:101: initiating mode-cfg pull from peer
    ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION
    ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS
    ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK
    ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE
    ike 0:to_HQ:101: mode-cfg request UNITY_PFS
    ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172
    ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01
    ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1
    ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC
    ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252
    ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1
    ike 0:to_HQ:101: mode-cfg type 28676 response 28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000
    ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0
    ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0
    ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION 'FortiGate-100D v6.0.3,build0200,181009 (GA)'
    ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to 'to_HQ'/58
    ike 0:to_HQ: set oper up
    ike 0:to_HQ: schedule auto-negotiate
    ike 0:to_HQ:101: no pending Quick-Mode negotiations
    ike shrank heap by 159744 bytes
    ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0
    ike 0:to_HQ:to_HQ: using existing connection
    # ike 0:to_HQ:to_HQ: config found
    ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating
    ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
    ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
    ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444
    ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0
    ike 0:to_HQ:101:to_HQ:259: my proposal:
    ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
    ike 0:to_HQ:101:to_HQ:259:   protocol id = IPSEC_ESP:
    ike 0:to_HQ:101:to_HQ:259:   PFS DH group = 14
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA1
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA1
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA2_256
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA2_256
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_GCM_16 (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=NULL
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_GCM_16 (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=NULL
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=NULL
    ike 0:to_HQ:101:to_HQ:259: incoming proposal:
    ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
    ike 0:to_HQ:101:to_HQ:259:   protocol id = IPSEC_ESP:
    ike 0:to_HQ:101:to_HQ:259:   PFS DH group = 14
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA1
    ike 0:to_HQ: schedule auto-negotiate
    ike 0:to_HQ:101:to_HQ:259: replay protection enabled
    ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902.
    ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200.
    ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1
    ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0
    ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0
    ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9
    ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key 16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC
    ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key 16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37
    ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9
    ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap
    ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01

IPsec related diagnose commands

This section provides IPsec related diagnose commands.

  • Daemon IKE summary information list: diagnose vpn ike status
    connection: 2/50
    IKE SA: created 2/51  established 2/9  times 0/13/40 ms
    IPsec SA: created 1/13  established 1/7  times 0/8/30 ms
  • IPsec phase1 interface status: diagnose vpn ike gateway list
    vd: root/0
    name: tofgtc
    version: 1
    interface: port13 42
    addr: 173.1.1.1:500 -> 172.16.200.3:500
    created: 4313s ago
    IKE SA: created 1/1  established 1/1  time 10/10/10 ms
    IPsec SA: created 0/0
    
      id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b
      direction: initiator
      status: established 4313-4313s ago = 10ms
      proposal: aes128-sha256
      key: 74aa3d63d88e10ea-8a1c73b296b06578
      lifetime/rekey: 86400/81786
      DPD sent/recv: 00000000/00000000
    
    vd: root/0
    name: to_HQ
    version: 1
    interface: port13 42
    addr: 173.1.1.1:500 -> 11.101.1.1:500
    created: 1013s ago
    assigned IPv4 address: 11.11.11.1/255.255.255.252
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    
      id/spi: 95 255791bd30c749f4/c2505db65210258b
      direction: initiator
      status: established 1013-1013s ago = 0ms
      proposal: aes128-sha256
      key: bb101b9127ed5844-1582fd614d5a8a33
      lifetime/rekey: 86400/85086
      DPD sent/recv: 00000000/00000010
  • IPsec phase2 tunnel status: diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ----
    nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0 tun_id=0.0.0.0
    bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_dev 
    proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0
    stat: rxp=0 txp=0 rxb=0 txb=0
    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    run_tally=0
    ----
    name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0 tun_id=11.101.1.1
    bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu 
    proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0
    stat: rxp=1 txp=4 rxb=152 txb=336
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048
           seqno=5 esn=0 replaywin_lastseq=00000002 itn=0
      life: type=01 bytes=0/0 timeout=42900/43200
      dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f
           ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a
      enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4
           ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe
      dec:pkts/bytes=1/84, enc:pkts/bytes=4/608
      npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2
  • Packets encrypted/decrypted counter: diagnose vpn ipsec status
    All ipsec crypto devices in use:
    NP6_0:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NP6_1:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 337152           46069           
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 337152           46069           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    NPU Host Offloading:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 38                1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 38                1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    CP8:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 1337             1582            
            aes              : 71               11426           
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 48               28              
            sha1             : 1360             12980           
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
    
    SOFTWARE:
        Encryption (encrypted/decrypted)
            null             : 0                 1.               
            des              : 0                 1.               
            3des             : 0                 1.               
            aes              : 0                 1.               
            aes-gcm          : 0                 1.               
            aria             : 0                 1.               
            seed             : 0                 1.               
            chacha20poly1305 : 0                 1.               
        Integrity (generated/validated)
            null             : 0                 1.               
            md5              : 0                 1.               
            sha1             : 0                 1.               
            sha256           : 0                 1.               
            sha384           : 0                 1.               
            sha512           : 0                 1.               
  • diagnose debug application ike -1
    • diagnose vpn ike log-filter dst-addr4 11.101.1.1
    • diagnose vpn ike log-filter src-addr4 173.1.1.1
    # ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message...
    ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000
    ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624
    ike 0:to_HQ:101: initiator: aggressive mode get 1st response...
    ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F
    ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100
    ike 0:to_HQ:101: DPD negotiated
    ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
    ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204
    ike 0:to_HQ:101: peer supports UNITY
    ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000
    ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0)
    ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
    ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
    ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1
    ike 0:to_HQ:101: negotiation result
    ike 0:to_HQ:101: proposal id = 1:
    ike 0:to_HQ:101:   protocol id = ISAKMP:
    ike 0:to_HQ:101:      trans_id = KEY_IKE.
    ike 0:to_HQ:101:      encapsulation = IKE/none
    ike 0:to_HQ:101:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
    ike 0:to_HQ:101:         type=OAKLEY_HASH_ALG, val=SHA2_256.
    ike 0:to_HQ:101:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
    ike 0:to_HQ:101:         type=OAKLEY_GROUP, val=MODP2048.
    ike 0:to_HQ:101: ISAKMP SA lifetime=86400
    ike 0:to_HQ:101: received NAT-D payload type 20
    ike 0:to_HQ:101: received NAT-D payload type 20
    ike 0:to_HQ:101: selected NAT-T version: RFC 3947
    ike 0:to_HQ:101: NAT not detected 
    ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key 16:D81CAE6B2500435BFF195491E80148F3
    ike 0:to_HQ:101: PSK authentication succeeded
    ike 0:to_HQ:101: authentication OK
    ike 0:to_HQ:101: add INITIAL-CONTACT
    ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75
    ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92
    ike 0:to_HQ:101: mode-cfg type 16521 request 0:
    ike 0:to_HQ:101: mode-cfg type 16522 request 0:
    ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92
    ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295
    ike 0:to_HQ:101: initiating mode-cfg pull from peer
    ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION
    ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS
    ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK
    ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE
    ike 0:to_HQ:101: mode-cfg request UNITY_PFS
    ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172
    ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01
    ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1
    ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC
    ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252
    ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1
    ike 0:to_HQ:101: mode-cfg type 28676 response 28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000
    ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0
    ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0
    ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION 'FortiGate-100D v6.0.3,build0200,181009 (GA)'
    ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to 'to_HQ'/58
    ike 0:to_HQ: set oper up
    ike 0:to_HQ: schedule auto-negotiate
    ike 0:to_HQ:101: no pending Quick-Mode negotiations
    ike shrank heap by 159744 bytes
    ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0
    ike 0:to_HQ:to_HQ: using existing connection
    # ike 0:to_HQ:to_HQ: config found
    ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating
    ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
    ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
    ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
    ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
    ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444
    ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0
    ike 0:to_HQ:101:to_HQ:259: my proposal:
    ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
    ike 0:to_HQ:101:to_HQ:259:   protocol id = IPSEC_ESP:
    ike 0:to_HQ:101:to_HQ:259:   PFS DH group = 14
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA1
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA1
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA2_256
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA2_256
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_GCM_16 (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=NULL
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_GCM_16 (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=NULL
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=NULL
    ike 0:to_HQ:101:to_HQ:259: incoming proposal:
    ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
    ike 0:to_HQ:101:to_HQ:259:   protocol id = IPSEC_ESP:
    ike 0:to_HQ:101:to_HQ:259:   PFS DH group = 14
    ike 0:to_HQ:101:to_HQ:259:      trans_id = ESP_AES_CBC (key_len = 128)
    ike 0:to_HQ:101:to_HQ:259:      encapsulation = ENCAPSULATION_MODE_TUNNEL
    ike 0:to_HQ:101:to_HQ:259:         type = AUTH_ALG, val=SHA1
    ike 0:to_HQ: schedule auto-negotiate
    ike 0:to_HQ:101:to_HQ:259: replay protection enabled
    ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902.
    ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200.
    ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1
    ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0
    ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0
    ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9
    ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key 16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC
    ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key 16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37
    ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9
    ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap
    ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01