Re: how to check VPN phase 1 and phase 2 status?

yoganand_i · ‎2017-07-09

regarding VPN status

PhoneBoy · ‎2017-07-09

If the VPN is working, Phase 1 and Phase 2 are ok

If it's not, then you will see errors in your logs that you can search SecureKnowledge on.

For more details on how to debug VPN issues in general refer to the following SK: Debugging Site-to-Site VPN

Anthony_Joubai1 · ‎2019-04-03

old question 🙂

the best way to see your phase 1/2 exchange is :

expert# tcpdump -nni any port 500 or esp and host <enter_peer_ip_here>

as a result, you gonna see all exchange phase 1 /2 and at the end, ESP packet.

Example here:

09:34:35.072323 IP myfirewall.500 > remote_peer.500: 500: phase 1 I ident
09:34:35.073360 IP remote_peer.500 > myfirewall.500: 500: phase 1 R ident
09:34:35.077227 IP myfirewall.500 > remote_peer.500: 500: phase 1 I ident
09:34:35.077860 IP remote_peer.500 > myfirewall.500: 500: phase 1 R ident
09:34:35.081169 IP myfirewall.500 > remote_peer.500: 500: phase 1 I ident[E]
09:34:35.082911 IP remote_peer.500 > myfirewall.500: 500: phase 1 R ident[E]
09:34:35.087150 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]
09:34:35.088244 IP remote_peer.500 > myfirewall.500: 500: phase 2/others R oakley-quick[E]
09:34:35.092133 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]
09:34:35.193893 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]
09:34:35.294641 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]

If everything has passed properly, then traffic will be encapsulated on ESP (tunnel is ok !)
09:34:35.392787 IP myfirewall > remote_peer: ESP(spi=0xce551c74,seq=0x1), length 132
09:34:35.394247 IP remote_peer > myfirewall: ESP(spi=0x36e53874,seq=0x1), length 132
09:34:36.070891 IP myfirewall > remote_peer: ESP(spi=0xce551c74,seq=0x2), length 132
09:34:36.071546 IP remote_peer > myfirewall: ESP(spi=0x36e53874,seq=0x2), length 132
09:34:37.072979 IP myfirewall > remote_peer: ESP(spi=0xce551c74,seq=0x3), length 132

their is also

vpn tu tlist on R80.+ which is cooooool !!

regards,

Anthony

olaogunjebe · ‎2021-01-27

Hello

I have a VPN with a Cisco peer, and have the same problem

14:13:24.897490 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx.500: isakmp: phase 1 I agg
14:13:26.882521 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 I agg
14:13:30.896979 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 I agg
14:13:34.901283 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 I agg
14:13:38.885444 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 I agg
14:13:42.904976 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 I agg
14:13:46.896199 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 I agg
14:14:01.694498 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 1 I ident
14:14:01.757853 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 R ident
14:14:01.766063 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 1 I ident
14:14:01.842451 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 R ident
14:14:01.852741 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 1 I ident[E]
14:14:01.935029 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 1 R ident[E]
14:14:01.945373 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 2/others I oakley-quick[E]
14:14:02.016005 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 2/others R oakley-quick[E]
14:14:02.045359 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 2/others I oakley-quick[E]
14:14:06.539555 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1), length 104
14:14:11.539545 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x2), length 104
14:14:16.539582 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x3), length 104
14:14:21.662232 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 2/others R oakley-quick[E]
14:14:21.674251 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 2/others I inf[E]
14:14:48.380437 IP 1xx.xx.xx.xx > xx.xx.xx.xx: ESP(spi=0x5a548277,seq=0x4), length 104
14:14:53.039742 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x5), length 104
14:14:58.039834 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x6), length 104
14:15:03.039855 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x7), length 104
14:15:08.039815 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x8), length 104
14:15:13.039907 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x9), length 104
14:15:18.039974 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0xa), length 104
14:15:23.039940 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0xb), length 104
14:15:28.040068 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0xc), length 104
14:15:28.640768 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 2/others R oakley-quick[E]
14:15:28.653037 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 2/others I inf[E]
14:15:33.040085 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0xd), length 104
14:15:38.040181 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0xe), length 104
14:15:43.040204 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0xf), length 104
14:15:48.040210 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x10), length 104
14:15:53.040174 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x11), length 104
14:15:58.040304 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x12), length 104
14:16:03.040254 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x13), length 104
14:16:08.040202 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x14), length 104
14:16:13.040346 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x15), length 104
14:16:18.040297 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x16), length 104
14:16:23.040388 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x17), length 104
14:16:28.040484 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x18), length 104
14:16:33.040527 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x19), length 104
14:16:35.630387 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 2/others R oakley-quick[E]
14:16:35.642437 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 2/others I inf[E]
14:16:38.040438 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1a), length 104
14:16:43.040500 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1b), length 104
14:16:48.040565 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1c), length 104
14:17:29.879937 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1d), length 104
14:17:31.050657 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1e), length 104
14:17:32.540832 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x1f), length 104
14:17:34.040848 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x20), length 104
14:17:35.540909 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x21), length 104
14:17:37.040889 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x22), length 104
14:17:38.540956 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x23), length 104
14:17:40.041103 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x24), length 104
14:17:41.540915 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x25), length 104
14:17:42.492964 IP xx.xx.xx.6.500 > 1xx.xx.xx.xx..500: isakmp: phase 2/others R oakley-quick[E]
14:17:42.504791 IP 1xx.xx.xx.xx.500 > xx.xx.xx.6.500: isakmp: phase 2/others I inf[E]
14:17:43.040960 IP 1xx.xx.xxx.xxx > xx.xxx.xx.xx: ESP(spi=0x5a548277,seq=0x26), length 104
14:

Are you a member of CheckMates?

how to check VPN phase 1 and phase 2 status?