cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

how to check VPN phase 1 and phase 2 status?

regarding VPN status

Tags (2)
0 Kudos
2 Replies
Admin
Admin

Re: how to check VPN phase 1 and phase 2 status?

If the VPN is working, Phase 1 and Phase 2 are ok Smiley Happy

If it's not, then you will see errors in your logs that you can search SecureKnowledge on.

For more details on how to debug VPN issues in general refer to the following SK: Debugging Site-to-Site VPN 

Re: how to check VPN phase 1 and phase 2 status?

old question 🙂

the best way to see your phase 1/2 exchange is :

expert#          tcpdump -nni any port 500 or esp and host <enter_peer_ip_here>

as a result, you gonna see all exchange phase 1 /2 and at the end, ESP packet.

 

Example here:

09:34:35.072323 IP myfirewall.500 > remote_peer.500: 500: phase 1 I ident
09:34:35.073360 IP remote_peer.500 > myfirewall.500: 500: phase 1 R ident
09:34:35.077227 IP myfirewall.500 > remote_peer.500: 500: phase 1 I ident
09:34:35.077860 IP remote_peer.500 > myfirewall.500: 500: phase 1 R ident
09:34:35.081169 IP myfirewall.500 > remote_peer.500: 500: phase 1 I ident[E]
09:34:35.082911 IP remote_peer.500 > myfirewall.500: 500: phase 1 R ident[E]
09:34:35.087150 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]
09:34:35.088244 IP remote_peer.500 > myfirewall.500: 500: phase 2/others R oakley-quick[E]
09:34:35.092133 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]
09:34:35.193893 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]
09:34:35.294641 IP myfirewall.500 > remote_peer.500: 500: phase 2/others I oakley-quick[E]

 

If everything has passed properly, then traffic will be encapsulated on ESP (tunnel is ok !)
09:34:35.392787 IP myfirewall > remote_peer: ESP(spi=0xce551c74,seq=0x1), length 132
09:34:35.394247 IP remote_peer > myfirewall: ESP(spi=0x36e53874,seq=0x1), length 132
09:34:36.070891 IP myfirewall > remote_peer: ESP(spi=0xce551c74,seq=0x2), length 132
09:34:36.071546 IP remote_peer > myfirewall: ESP(spi=0x36e53874,seq=0x2), length 132
09:34:37.072979 IP myfirewall > remote_peer: ESP(spi=0xce551c74,seq=0x3), length 132

 

their is also

vpn tu tlist on R80.+ which is cooooool !!

+-----------------------------------------+-----------------------+---------------------+
| Peer: 172.16.0.200 - remote_peer | MSA: ffffc20022ca3030 | i: 0 ref: 3 |
| Methods: ESP Tunnel AES-128 SHA1 | | |
| My TS: 192.168.153.0/24 | | |
| Peer TS: 10.0.0.0/24 | | |
| MSPI: 4 (i: 0, p: - ) | Out SPI: ce551c74 | |
+-----------------------------------------+-----------------------+---------------------+

regards,

Anthony

 

 

0 Kudos