No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Huawei Firewall: IPSec Troubleshooting - Using IPSec Debugs

This document describes common debugging commands and debugging information used to troubleshoot IPSec issues on Huawei firewalls.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Troubleshooting - Using IPSec Debugs

IPSec Troubleshooting - Using IPSec Debugs

Introduction

This document describes common debugging commands and debugging information used to troubleshoot IPSec issues on Huawei firewalls.

For details on common solutions to IPSec VPN failure and consulting issues, see Troubleshooting IPSec Issues that describes a checklist of common procedures that you might try before you begin to troubleshoot a connection and call Huawei Technical Support.

Prerequisites

  • It is recommended that you have knowledge of IPSec VPN configuration on HUAWEI firewalls.
  • This document uses Huawei USG6000 series firewall products of V5 version as an example. There may be differences in the implementation of different products and versions. Please refer to the specific version of the product documentation.
  • In this document, FW is short for firewall.
  • In this document, public IP addresses may be used and are for reference only unless otherwise specified.
  • The debugging information in this document was created from the firewalls in a specific lab environment. All of the firewalls used in this document started with a default configuration. If your network is live, make sure that you understand the potential impact of any command.

Debugging Commands

The following debugging commands are used to troubleshoot IPSec issues at different IPSec negotiation phase.

Command

Command Format

Command Function

debugging ikev1

debugging ikev1 { all | error | info [ modecfg | exchange | dpd | pki | backup ] | packet | warning } [ slot slot-id cpu cpu-id ]

debugging ikev1 filter remote-address ip-address

undo debugging ikev1 { all | error | info [ modecfg | exchange | dpd | pki | backup ] | packet | warning } [ slot slot-id cpu cpu-id ]

undo debugging ikev1 filter remote-address

The command facilitates the user to detect the packet interaction and the changing process of the event and status during the IKEv1 negotiation phase. When the abnormal IPSec negotiation occurs, you can use this command to trace the process of the IKEv1 negotiation, and locate the faults.

debugging ikev2

debugging ikev2 { all | error | info [ modecfg | exchange | dpd | pki | backup ] | packet | warning } [ slot slot-id cpu cpu-id ]

debugging ikev2 filter remote-address ip-address

undo debugging ikev2 { all | error | info [ modecfg | exchange | dpd | pki | backup ] | packet | warning } [ slot slot-id cpu cpu-id ]

undo debugging ikev2 filter remote-address

The command facilitates the user to detect the packet interaction and the changing process of the event and status during the IKEv2 negotiation phase. When the abnormal IPSec negotiation occurs, you can use this command to trace the process of the IKEv2 negotiation, and locate the faults.

debugging ipsec

debugging ipsec { all | error | info | packet | warning } [ slot slot-id cpu cpu-id ]

debugging ipsec filter remote-address ip-address

undo debugging ipsec { all | error | info | packet | warning } [ slot slot-id cpu cpu-id ]

undo debugging ipsec filter remote-address

The command facilitates the user to detect the IPSec packet interaction and the changing process of the event and status. When the abnormal IPSec negotiation occurs, you can use this command to trace the IPSec packets, and locate the faults.

debugging ipsec-yang

debugging ipsec-yang { all | error | info | warning }

undo debugging ipsec-yang { all | error | info | warning }

When the IPSec yang packet is abnormal, you can use this command to trace the IPSec yang packet and locate the faults.

Debugging Information

The following describes the IKE negotiation packet exchange process based on debugging information. Figure 1-1 shows IPSec networking. FW1 is the IKE initiator, and FW2 is the IKE responder.

Figure 1-1 IPSec networking

IKEv1 Phase 1 Negotiation

Main mode

During IKEv1 phase 1 negotiation, the main mode uses six messages to implement three bidirectional exchanges.

  1. The initiator sends a SA payload containing IKE proposals to the responder for IKE proposal negotiation.
    Sep 28 2017 21:05:59.550.3+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_SA : f317d868 c8f3069a 00000000 00000000 01100200 00000000 000000d0 0d00003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014 48554157 45492d49 4b457631 44534350

    The responder receives the SA payload sent from the initiator and parses the IKE proposal.

    Sep 28 2017 21:23:39.960.14+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4930 IKE Packet Contents sent to 1.1.1.1 for message type Send_SA : f317d868 c8f3069a 7396dfa0 3f8f51ac 01100200 00000000 000000a8 0d00003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014 48554157 45492d49 4b457631 44534350
IKE_INFO 17:3513 Message from peer 1.1.1.1: validate payload SA 
IKE_INFO 17:813 Message from peer 1.1.1.1: Parsing payload PROPOSAL  
IKE_INFO 17:813 Message from peer 1.1.1.1: Parsing payload TRANSFORM 
IKE_INFO 2:2924 Attribute ENCRYPTION_ALGORITHM value AES_CBC //Encryption algorithm 
IKE_INFO 2:2924 Attribute KEY_LENGTH value 256 //Encryption algorithm length 
IKE_INFO 2:2924 Attribute HASH_ALGORITHM value SHA2-256 //Authentication algorithm 
IKE_INFO 2:2924 Attribute AUTHENTICATION_METHOD value PRE_SHARED //Authentication method 
IKE_INFO 2:2924 Attribute GROUP_DESCRIPTION value MODP_1024 //DH key exchange parameter 
IKE_INFO 2:2924 Attribute LIFE_TYPE value SECONDS 
IKE_INFO 2:2924 Attribute LIFE_DURATION value 86400 //IKE SA lifetime
  2. The responder searches for the first matching IKE proposal and sends a SA payload containing this accepted IKE proposal to the initiator.
    Sep 28 2017 21:23:39.960.14+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4930 IKE Packet Contents sent to 1.1.1.1 for message type Send_SA : f317d868 c8f3069a 7396dfa0 3f8f51ac 01100200 00000000 000000a8 0d00003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014 48554157 45492d49 4b457631 44534350

    The initiator receives the SA payload containing an accepted IKE proposal from the responder.

    Sep 28 2017 21:05:59.640.3+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4508 IKE Packet Contents received from 2.1.1.1 for message type Recv_SA : f317d868 c8f3069a 7396dfa0 3f8f51ac 01100200 00000000 000000a8 0d00003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014 48554157 45492d49 4b457631 44534350
  3. The initiator sends the KE_NONCE payload containing key generation information to the responder to exchange DH public keys and random values.
    Sep 28 2017 21:05:59.640.17+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_KE_NONCE : f317d868 c8f3069a 7396dfa0 3f8f51ac 04100200 00000000 0000017c 0a000104 df472637 7fa66305 d2384b82 b84d4353 68def6ae c4268e3f 67c14e13 806ae6bc 5cc688d4 41a8432b dba680c6 ebda9743 122c7455 f23506e0 48f48f12 c47ec9c7 ded96633 9243bf39 cfc0d4d1 17e90213 6a5f63b8 8515d842 a0700a2e bdb99617 7415fecb c97729df 1da1f800 c5eb8a26 69ac9eb6 8f41b6ee ec7edeed ecc41809 472abea5 77535f28 c00a0b10 ad762132 f46b71f2 ac90f9c4 acb41a85 a7234845 03f436e6 504deb10 61563be5 7272b2d5 9114401a 423b18a4 f0d21ecd bbafc3a1 f28fe579 9341b6ac b21ce40a 97e546c5 213947a6 85d7b0b0 4f1f417b 720277f4 823649ea 419f2e30 ca64b8ac 480f8793 9a145154 bfeba9ac bc9eeb68 752bb8c8 14000014 ab3c6161 89aada4f ddd6d33d 36bdb605 14000024 45adbbf1 55321d99 5b9c9aaf ada3c518 eed6994c 3f45c4d2 696207

    The responder receives the KE_NONCE payload from the initiator.

    Sep 28 2017 21:23:40.90.12+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4752 IKE Packet Contents received from 1.1.1.1 for message type Recv_KE_NONCE : f317d868 c8f3069a 7396dfa0 3f8f51ac 04100200 00000000 0000017c 0a000104 df472637 7fa66305 d2384b82 b84d4353 68def6ae c4268e3f 67c14e13 806ae6bc 5cc688d4 41a8432b dba680c6 ebda9743 122c7455 f23506e0 48f48f12 c47ec9c7 ded96633 9243bf39 cfc0d4d1 17e90213 6a5f63b8 8515d842 a0700a2e bdb99617 7415fecb c97729df 1da1f800 c5eb8a26 69ac9eb6 8f41b6ee ec7edeed ecc41809 472abea5 77535f28 c00a0b10 ad762132 f46b71f2 ac90f9c4 acb41a85 a7234845 03f436e6 504deb10 61563be5 7272b2d5 9114401a 423b18a4 f0d21ecd bbafc3a1 f28fe579 9341b6ac b21ce40a 97e546c5 213947a6 85d7b0b0 4f1f417b 720277f4 823649ea 419f2e30 ca64b8ac 480f8793 9a145154 bfeba9ac bc9eeb68 752bb8c8 14000014 ab3c6161 89aada4f ddd6d33d 36bdb605 14000024 45adbbf1 55321d99 5b9c9aaf ada3c518 eed6994c 3f45c4d2
  4. The responder sends the KE_NONCE payload containing key generation information to the initiator to exchange DH public keys and random values.
    Sep 28 2017 21:23:40.130.5+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4930 IKE Packet Contents sent to 1.1.1.1 for message type Send_KE_NONCE : f317d868 c8f3069a 7396dfa0 3f8f51ac 04100200 00000000 0000017c 0a000104 7e6d6a34 5c2d75ac 99191319 b70fa1f5 1ef90be5 dd9ce7a3 72212d62 3b2c72f2 63eb8814 d8cbc79d f36f7eca b2a48213 23a1fdd0 88f8d9d9 7ce43440 a575a8fa b7f53fb5 3eaaea9f 697a46c7 c17b8485 862b8d10 5af8408c 4f956aff a9aa2ca7 97dc36ae 8531c1f6 0ce3bc6b b512598b 23310897 c2e7c175 5389cd01 4825f232 5eac6d43 2a0cbd0d eae4dde3 996bed59 d11e8c0c 31d5324b e832228d 7d3df4fa e117a789 3849c861 681ec20e 627dbbdc e6b74a8b 82f19bd8 22be4e35 8cbe07af 62b3bbc7 10c9ab38 5a6d6203 61586945 c6b436d6 d9c786cc e54a4dc4 bf37ef88 d77786a8 af8986d2 25434234 aca11cad 8822f627 ae0b3154 1ba2939b dce25b94 14000014 ab4da180 3e475ced 49674378 13c48755 14000024 76104f49 2e45250e cd0cb85f f02a5cc9 f76f4563 df2874b2 45411b

    The initiator receives the KE_NONCE payload from the responder.

    Sep 28 2017 21:05:59.800.6+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4508 IKE Packet Contents received from 2.1.1.1 for message type Recv_KE_NONCE : f317d868 c8f3069a 7396dfa0 3f8f51ac 04100200 00000000 0000017c 0a000104 7e6d6a34 5c2d75ac 99191319 b70fa1f5 1ef90be5 dd9ce7a3 72212d62 3b2c72f2 63eb8814 d8cbc79d f36f7eca b2a48213 23a1fdd0 88f8d9d9 7ce43440 a575a8fa b7f53fb5 3eaaea9f 697a46c7 c17b8485 862b8d10 5af8408c 4f956aff a9aa2ca7 97dc36ae 8531c1f6 0ce3bc6b b512598b 23310897 c2e7c175 5389cd01 4825f232 5eac6d43 2a0cbd0d eae4dde3 996bed59 d11e8c0c 31d5324b e832228d 7d3df4fa e117a789 3849c861 681ec20e 627dbbdc e6b74a8b 82f19bd8 22be4e35 8cbe07af 62b3bbc7 10c9ab38 5a6d6203 61586945 c6b436d6 d9c786cc e54a4dc4 bf37ef88 d77786a8 af8986d2 25434234 aca11cad 8822f627 ae0b3154 1ba2939b dce25b94 14000014 ab4da180 3e475ced 49674378 13c48755 14000024 76104f49 2e45250e cd0cb85f f02a5cc9 f76f4563 df2874b2
  5. The initiator sends the ID_AUTH payload containing its identity and hash authentication information to the responder.
    Sep 28 2017 21:05:59.830.6+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_ID_AUTH : f317d868 c8f3069a 7396dfa0 3f8f51ac 05100200 00000000 0000004c 0800000c 01000000 01010101 00000024 3b69c54a d8478f81 bd61cf3d 9ee8bf59 32846302 a306e6e2 e3645724 9db520af

    The responder receives the ID_AUTH payload from the initiator.

    Sep 28 2017 21:23:40.210.9+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4752 IKE Packet Contents received from 1.1.1.1 for message type Recv_ID_AUTH : f317d868 c8f3069a 7396dfa0 3f8f51ac 05100201 00000000 0000004c 0800000c 01000000 01010101 00000024 3b69c54a d8478f81 bd61cf3d 9ee8bf59 32846302 a306e6e2 e3645724 9db520af
  6. The responder sends the ID_AUTH payload containing its identity and hash authentication information to the initiator.
    Sep 28 2017 21:23:40.220.12+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4930 IKE Packet Contents sent to 1.1.1.1 for message type Send_ID_AUTH : f317d868 c8f3069a 7396dfa0 3f8f51ac 05100200 00000000 0000004c 0800000c 01000000 02010101 00000024 ec4df8c8 6b4ec863 36b71e01 57857ef6 20ea5aec 3713bc3e 79867e66 3b489fbe

    The initiator receives the ID_AUTH payload from the responder.

    Sep 28 2017 21:05:59.890.15+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4508 IKE Packet Contents received from 2.1.1.1 for message type Recv_ID_AUTH : f317d868 c8f3069a 7396dfa0 3f8f51ac 05100201 00000000 0000004c 0800000c 01000000 02010101 00000024 ec4df8c8 6b4ec863 36b71e01 57857ef6 20ea5aec 3713bc3e 79867e66 3b489fbe

Aggressive mode

During IKEv1 phase 1 negotiation, the aggressive mode uses three messages.

  1. The initiator sends the SA_KE_NONCE_ID_VID payload containing IKE proposals, key generation information, and its identity to the responder.
    Sep 28 2017 21:21:03.960.11+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_SA_KE_NONCE_ID_VID : a1588ac6 a6a062d4 00000000 00000000 01100400 00000000 000001f4 0400003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0a000104 e932c0c6 ad23a42e 52150f0e ce602358 12b88390 ea4ec8d3 3b53063b c1e87f8c 1fa61767 f6b4e370 cac38dd7 0515a745 1d01dd83 6ba29a3a 3a9bdc2c 3b061c58 14ce8cab ae289fb4 70f10c3d 7f6d2b13 1e76eeeb c9110651 d6445cd4 1f48d7b4 84112da5 42cb440d dce58d57 6bc2030a 45fa4dd3 c1ec0853 9b66b104 0a87eaea b81aea68 d0e8ff2e 8634a006 2beba703 4259d6ec f9b878aa 6349e8fa e8dc81ee f3b1f752 0fb99206 be7736d3 45c98c7c 2a092112 73efbc93 b7f778b6 1f07f98c 58261a12 99dae705 0374926a 0a3ae551 ea6435fa 04fd2a9a 0a7626a0 e1833473 8e7c1cdf 53f8c1b0 300adde1 c3e5780c 083e6

    The responder receives the SA_KE_NONCE_ID_VID payload sent from the initiator and parses the IKE proposal.

    Sep 28 2017 21:38:44.370.5+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4752 IKE Packet Contents received from 1.1.1.1 for message type Recv_SA_KE_NONCE_ID_VID : a1588ac6 a6a062d4 00000000 00000000 01100400 00000000 000001f4 0400003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0a000104 e932c0c6 ad23a42e 52150f0e ce602358 12b88390 ea4ec8d3 3b53063b c1e87f8c 1fa61767 f6b4e370 cac38dd7 0515a745 1d01dd83 6ba29a3a 3a9bdc2c 3b061c58 14ce8cab ae289fb4 70f10c3d 7f6d2b13 1e76eeeb c9110651 d6445cd4 1f48d7b4 84112da5 42cb440d dce58d57 6bc2030a 45fa4dd3 c1ec0853 9b66b104 0a87eaea b81aea68 d0e8ff2e 8634a006 2beba703 4259d6ec f9b878aa 6349e8fa e8dc81ee f3b1f752 0fb99206 be7736d3 45c98c7c 2a092112 73efbc93 b7f778b6 1f07f98c 58261a12 99dae705 0374926a 0a3ae551 ea6435fa 04fd2a9a 0a7626a0 e1833473 8e7c1cdf 53f8c1b0 300adde1 c3e5780c
IKE_INFO 17:3513 Message from peer 1.1.1.1: validate payload SA 
IKE_INFO 17:813 Message from peer 1.1.1.1: Parsing payload PROPOSAL  
IKE_INFO 17:813 Message from peer 1.1.1.1: Parsing payload TRANSFORM 
IKE_INFO 2:2924 Attribute ENCRYPTION_ALGORITHM value AES_CBC //Encryption algorithm 
IKE_INFO 2:2924 Attribute KEY_LENGTH value 256 //Encryption algorithm length 
IKE_INFO 2:2924 Attribute HASH_ALGORITHM value SHA2-256 //Authentication algorithm 
IKE_INFO 2:2924 Attribute AUTHENTICATION_METHOD value PRE_SHARED //Authentication method 
IKE_INFO 2:2924 Attribute GROUP_DESCRIPTION value MODP_1024 //DH key exchange parameter 
IKE_INFO 2:2924 Attribute LIFE_TYPE value SECONDS 
IKE_INFO 2:2924 Attribute LIFE_DURATION value 86400 //IKE SA lifetime
  2. The responder searches for the first matching IKE proposal and sends the SA_KE_NONCE_ID_VID_NATD_AUTH payload containing this accepted IKE proposal, key generation information, its identity, and authentication information to the initiator.
    Sep 28 2017 21:38:44.420.6+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4930 IKE Packet Contents sent to 1.1.1.1 for message type Send_SA_KE_NONCE_ID_VID_NATD_AUTH : a1588ac6 a6a062d4 60fd9a0c d0d75e72 01100400 00000000 00000238 0400003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0a000104 a0bd8569 a2ec9c8e 66509d14 11cdf928 a165526e 6866be8e 846becb3 fe0e9aec 0eef08e4 4b3209b3 45e38d39 5e3c84b5 50025fa9 0352a987 f4b26ec5 49981fcd d07040cd 031f1829 460eaa77 8e3e69d6 b9dba239 889e2708 96f0473f de5867fe 6f5ca16b 00ab7133 4c864f03 aab59f1c 0e3f369c 78f73985 c9862cea 0dda80d7 21451b5b 7cbea87e 7585dd89 2f6795e7 2c06cc0a a4846da0 ced85686 75c51116 173fb7d8 8fe8f460 e66bedcc 67afd20f 90b15ba2 557f9fb6 c0929fc6 d8618b64 054bcdc9 b3e3762e 0d130bcb d1977450 3d64bdb9 cb2587b5 f87a97dc 561e78e4 876e0d45 b68a8ca6 0b3ef91c ac3d

    The initiator receives the SA_KE_NONCE_ID_VID_NATD_AUTH payload from the responder.

    Sep 28 2017 21:21:04.100.10+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4508 IKE Packet Contents received from 2.1.1.1 for message type Recv_SA_KE_NONCE_ID_VID_NATD_AUTH : a1588ac6 a6a062d4 60fd9a0c d0d75e72 01100400 00000000 00000238 0400003c 00000001 00000001 00000030 01010001 00000028 00010000 80010007 800e0100 80020004 80030001 8004000e 800b0001 000c0004 00015180 0a000104 a0bd8569 a2ec9c8e 66509d14 11cdf928 a165526e 6866be8e 846becb3 fe0e9aec 0eef08e4 4b3209b3 45e38d39 5e3c84b5 50025fa9 0352a987 f4b26ec5 49981fcd d07040cd 031f1829 460eaa77 8e3e69d6 b9dba239 889e2708 96f0473f de5867fe 6f5ca16b 00ab7133 4c864f03 aab59f1c 0e3f369c 78f73985 c9862cea 0dda80d7 21451b5b 7cbea87e 7585dd89 2f6795e7 2c06cc0a a4846da0 ced85686 75c51116 173fb7d8 8fe8f460 e66bedcc 67afd20f 90b15ba2 557f9fb6 c0929fc6 d8618b64 054bcdc9 b3e3762e 0d130bcb d1977450 3d64bdb9 cb2587b5 f87a97dc 561e78e4 876e0d45 b68a8ca6 0b3ef91
  3. The initiator sends the NATD_AUTH payload containing authentication information to the responder.
    Sep 28 2017 21:21:04.140.3+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_NATD_AUTH : a1588ac6 a6a062d4 60fd9a0c d0d75e72 14100400 00000000 00000088 14000024 f4cc10b9 7b1188c7 c16262a0 a09d5ffb 081754a1 35112614 588dbea3 65fa8099 08000024 877f64e2 d1475aab 08081f20 0d4ba079 cdb78f79 0a70b6b8 9385f12b 9de1c9ab 00000024 f74224a0 14d354e2 6a999f6b 626b158c 71d23e63 80cc8463 cba6eeae 51638100

    The responder receives the NATD_AUTH payload from the initiator.

    Sep 28 2017 21:38:44.540.13+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4752 IKE Packet Contents received from 1.1.1.1 for message type Responder_recv_NATD_AUTH : a1588ac6 a6a062d4 60fd9a0c d0d75e72 14100401 00000000 00000088 14000024 f4cc10b9 7b1188c7 c16262a0 a09d5ffb 081754a1 35112614 588dbea3 65fa8099 08000024 877f64e2 d1475aab 08081f20 0d4ba079 cdb78f79 0a70b6b8 9385f12b 9de1c9ab 00000024 f74224a0 14d354e2 6a999f6b 626b158c 71d23e63 80cc8463 cba6eeae 51638100 00000000

IKEv1 Phase 2 Negotiation

During IKEv1 phase 2 negotiation, only three messages are used.

  1. The initiator sends the HASH_SA_NONCE payload containing IPSec proposals, its identity, and authentication information to the responder.
    Sep 28 2017 21:21:04.160.5+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_HASH_SA_NONCE : a1588ac6 a6a062d4 60fd9a0c d0d75e72 08102000 2e398765 000000b8 01000024 a385a80b ae4d3d24 3e63ad1d c749c575 ec522e64 ed8d91ea 5fd1c0d3 52f00bd9 0a000044 00000001 00000001 00000038 01030401 00d7609a 0000002c 010c0000 80010001 00020004 00000e10 80010002 00020004 001c2000 80040001 80050005 80060080 05000014 65426071 2d47e2a9 045c83bd 21534540 05000010 04000000 0a010100 ffffff00 00000010 04000000 0a010200 ffffff00

    The responder receives the HASH_SA_NONCE payload sent from the initiator and parses the IPSec proposal.

    Sep 28 2017 21:38:44.600.3+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4752 IKE Packet Contents received from 1.1.1.1 for message type Recv_HASH_SA_NONCE : a1588ac6 a6a062d4 60fd9a0c d0d75e72 08102001 2e398765 000000b8 01000024 a385a80b ae4d3d24 3e63ad1d c749c575 ec522e64 ed8d91ea 5fd1c0d3 52f00bd9 0a000044 00000001 00000001 00000038 01030401 00d7609a 0000002c 010c0000 80010001 00020004 00000e10 80010002 00020004 001c2000 80040001 80050005 80060080 05000014 65426071 2d47e2a9 045c83bd 21534540 05000010 04000000 0a010100 ffffff00 00000010 04000000 0a010200 ffffff00 00000000 
IKE_INFO 17:2267  
 Proposal No: 1    
 Protocol ID: IPSEC_ESP //Security protocol type 
IKE_INFO 2:1997 ENCRYPTION ALGORITHM: AES //Encryption algorithm 
IKE_INFO 2:2924 Attribute SA_LIFE_TYPE value SECONDS    
IKE_INFO 2:2924 Attribute SA_LIFE_DURATION value 3600 //Time-based IPSec SA lifetime 
IKE_INFO 2:2924 Attribute SA_LIFE_TYPE value KILOBYTES 
IKE_INFO 2:2924 Attribute SA_LIFE_DURATION value 1843200 //Traffic-based IPSec SA lifetime 
IKE_INFO 2:2924 Attribute ENCAPSULATION_MODE value TUNNEL //Encapsulation mode 
IKE_INFO 2:2924 Attribute AUTHENTICATION_ALGORITHM value SHA_256  //Authentication algorithm 
IKE_INFO 2:2924 Attribute KEY_LENGTH value 256   //Encryption algorithm length
  2. The responder searches for the first matching IPSec proposal and sends the HASH_SA_NONCE payload containing this accepted IPSec proposal, its identity, and authentication information to the initiator.
    Sep 28 2017 21:38:44.630.10+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4930 IKE Packet Contents sent to 1.1.1.1 for message type Send_HASH_SA_NONCE : a1588ac6 a6a062d4 60fd9a0c d0d75e72 08102000 2e398765 000000b8 01000024 4ae6231b 8ecc7d32 6b652050 1287c765 9ad89e4a 31a9c0bc e0047c96 b7d0bf7f 0a000044 00000001 00000001 00000038 01030401 00cd88b8 0000002c 010c0000 80010001 00020004 00000e10 80010002 00020004 001c2000 80040001 80050005 80060080 05000014 89e510df 9582036a db91abe2 1dd56bca 05000010 04000000 0a010100 ffffff00 00000010 04000000 0a010200 ffffff00

    The initiator receives the HASH_SA_NONCE payload from the responder.

    Sep 28 2017 21:21:04.310.2+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4508 IKE Packet Contents received from 2.1.1.1 for message type Recv_HASH_SA_NONCE : a1588ac6 a6a062d4 60fd9a0c d0d75e72 08102001 2e398765 000000b8 01000024 4ae6231b 8ecc7d32 6b652050 1287c765 9ad89e4a 31a9c0bc e0047c96 b7d0bf7f 0a000044 00000001 00000001 00000038 01030401 00cd88b8 0000002c 010c0000 80010001 00020004 00000e10 80010002 00020004 001c2000 80040001 80050005 80060080 05000014 89e510df 9582036a db91abe2 1dd56bca 05000010 04000000 0a010100 ffffff00 00000010 04000000 0a010200 ffffff00 00000000
  3. The initiator sends the HASH payload containing authentication information to the responder.
    Sep 28 2017 21:21:04.330.5+08:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4686 IKE Packet Contents sent to 2.1.1.1 for message type Send_HASH : a1588ac6 a6a062d4 60fd9a0c d0d75e72 08102000 2e398765 00000040 00000024 fa2b29f7 22f0d27f 25e9e1e1 9c46fbdb d57ebeff 53d7317e 3baaaeea 047189e2

    The responder receives the HASH payload from the initiator.

    Sep 28 2017 21:38:44.720.11+00:00 sysname IKE/7/IKE_Debug: 
IKE_PACKET 17:4752 IKE Packet Contents received from 1.1.1.1 for message type Recv_HASH : a1588ac6 a6a062d4 60fd9a0c d0d75e72 08102001 2e398765 00000040 00000024 fa2b29f7 22f0d27f 25e9e1e1 9c46fbdb d57ebeff 53d7317e 3baaaeea 047189e2 00000000 00000000 00000000

IKEv2 Phase

IKEv2 negotiation is much simpler than IKEv1 negotiation. IKEv1 goes through two phases to establish a pair of IPSec SAs: "main mode + quick mode" or "aggressive mode + quick mode". The first one requires nine messages to be exchanged, whereas the second one requires at least six messages to be exchanged. IKEv2 requires two exchanges and four messages to establish a pair of IPSec SAs. If more than one pair of IPSec SAs needs to be set up, CREATE_CHILD_SA Exchanges are performed. One CREATE_CHILD_SA Exchange establishes one pair of IPSec SAs, that is, only two more messages are required to establish an additional pair of IPSec SAs.

  1. The initiator sends the SA_INIT payload containing IKE proposals, key generation information, and authentication information to the responder.
    Sep 28 2017 21:25:09.790.14+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6660 IKEv2 Exch Type: SA_INIT 
 
Sep 28 2017 21:25:09.800.2+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6570 Sent Msg: SA | KE | NONCE | NOTIFY | NOTIFY | V_ID | V_ID |

    The responder receives the SA_INIT payload sent from the initiator and parses the IKE proposal.

    Sep 28 2017 21:42:50.180.10+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6733 IKEv2 Exch Type: SA_INIT 
 
Sep 28 2017 21:42:50.180.1+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6636 Recv Msg: SA | KE | NONCE | NOTIFY | NOTIFY | V_ID | V_ID | 
IKE_INFO 47:2699 Number of proposal : 1 
IKE_INFO 47:2868  
 Proposal No 1: 
 Protocol ID: ISAKMP 
IKE_INFO 47:2521 ENCRYPTION ALGORITHM: AES_256 //Encryption algorithm 
IKE_INFO 47:2274 INTEGRITY ALGORITHM: SHA_256 //Authentication algorithm 
IKE_INFO 47:2243 PRF ALGORITHM: SHA2_256 //Pseudo-random function algorithm 
IKE_INFO 47:2308 GROUP_TYPE: MODP_1024 //DH key exchange parameter
  2. The responder searches for the first matching IKE proposal and sends the SA_INIT payload containing this accepted IKE proposal, its identity, and authentication information to the initiator.
    Sep 28 2017 21:42:50.190.9+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6774 IKEv2 Exch Type: SA_INIT 
 
Sep 28 2017 21:42:50.190.11+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6684 Sent Msg: SA | KE | NONCE | NOTIFY | NOTIFY | V_ID | V_ID |

    The initiator receives the SA_INITE payload from the responder.

    Sep 28 2017 21:25:09.870.13+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6619 IKEv2 Exch Type: SA_INIT 
 
Sep 28 2017 21:25:09.870.14+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6522 Recv Msg: SA | KE | NONCE | NOTIFY | NOTIFY | V_ID | V_ID |
  3. The initiator sends the IKE_AUTH payload containing IPSec proposals, its identity, and authentication information to the responder.
    Sep 28 2017 21:25:09.920.5+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6660 IKEv2 Exch Type: IKE_AUTH 
 
Sep 28 2017 21:25:09.920.7+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6570 Sent Msg: NOTIFY | NOTIFY | ID_I | AUTH | SA | TS_I | TS_R |

    The responder receives the IKE_AUTH payload sent from the initiator and parses the IPSec proposal.

    Sep 28 2017 21:42:50.330.1+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6733 IKEv2 Exch Type: IKE_AUTH 
 
Sep 28 2017 21:42:50.330.2+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6636 Recv Msg: NOTIFY | NOTIFY | ID_I | AUTH | SA | TS_I | TS_R | 
IKE_INFO 47:2699 Number of proposal : 1 
IKE_INFO 47:2868  
 Proposal No 1: 
 Protocol ID: IPSEC_ESP //Security protocol type 
IKE_INFO 47:2521 ENCRYPTION ALGORITHM: AES_256 //Encryption algorithm 
IKE_INFO 47:2282 AUTHENTICATION ALGORITHM: SHA_256 //Authentication algorithm
  4. The responder searches for the first matching IPSec proposal and sends the IKE_AUTH payload containing this accepted IPSec proposal, its identity, and authentication information to the initiator.
    Sep 28 2017 21:42:50.360.9+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6774 IKEv2 Exch Type: IKE_AUTH 
 
Sep 28 2017 21:42:50.360.11+00:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6684 Sent Msg: NOTIFY | NOTIFY | ID_R | AUTH | SA | TS_I | TS_R |

    The initiator receives the IKE_AUTH payload from the responder.

    Sep 28 2017 21:25:10.50.10+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6619 IKEv2 Exch Type: IKE_AUTH 
 
Sep 28 2017 21:25:10.50.11+08:00 sysname IKE/7/IKE_Debug: 
IKE_INFO 47:6522 Recv Msg: NOTIFY | NOTIFY | ID_R | AUTH | SA | TS_I | TS_R |

Common Failure Debugging Information and Troubleshooting Suggestions

Table1 shows common failure debugging information and troubleshooting suggestions.

Table 1-1 Common failure debugging information

Debugging Information

Description

Troubleshooting Suggestions

Message from peer peer-ip: Got NOTIFY of type NO_PROPOSAL_CHOSEN

Message received from a specified peer: obtains the notification of the NO_PROPOSAL_CHOSEN type.

peer-ip specifies the IP address of an IKE peer.

IKE proposals on both ends are inconsistent. Ensure that the IKE proposals are consistent.

Message from peer peer-ip: Got NOTIFY of type PAYLOAD_MALFORMED

Message received from a specified peer: obtains the notification of the PAYLOAD_MALFORME type.

peer-ip specifies the IP address of an IKE peer.

Pre-shared keys on both ends are inconsistent. Ensure that the pre-shared keys are consistent.

Message from peer peer-ip: Invalid Next Payload of Type 60 in Payload Type 5

Message received from a specified peer: indicates the invalid next payload of type 60 in payload type 5.

Pre-shared keys on both ends are inconsistent. Ensure that the pre-shared keys are consistent.

Message from peer peer-ip: dropping Message due to notification type INVALID_PAYLOAD_TYPE

Message received from a specified peer: indicates that messages are dropped due to the notification of the INVALID_PAYLOAD_TYPE type.

peer-ip specifies the IP address of an IKE peer.

Pre-shared keys on both ends are inconsistent. Ensure that the pre-shared keys are consistent.

Phase 1 Exchange: ike peer configuration not found for peer "peer-ip"

Phase 1 exchange: indicates that the peer peer-ip is not found in the peer configuration.

peer-ip specifies the IP address of an IKE peer.

The local remote-address configuration is incorrect. Ensure that the configuration is correct.

ERROR - Received remote-name(remote-name) does not match with peer remote-name(remote-name)

The received remote-name does not match the peer remote-name.

remote-name: specifies the peer name.

The local remote-id and remote-name are inconsistent. Ensure that they are consistent.

Message from peer peer-ip: Got NOTIFY of type INVALID_ID_INFORMATION

Message received from a specified peer: obtains the notification of the INVALID_ID_INFORMATION type.

peer-ip specifies the IP address of an IKE peer.

ACL rules on both ends do not match. Ensure that the ACL rules match.

Message from peer peer-ip: dropping Message due to notification type NO_PROPOSAL_CHOSEN

Message received from a specified peer: indicates that messages are dropped due to the notification of the NO_PROPOSAL_CHOSEN type.

peer-ip specifies the IP address of an IKE peer.

IPSec proposals or PFS algorithms on both ends are inconsistent. Ensure that the IPSec proposals or PFS algorithms match.

Authentication failed for the peer peer-ip

The specified peer fails authentication.

peer-ip specifies the IP address of an IKE peer.

Pre-shared keys on both ends are inconsistent. Ensure that the pre-shared keys are consistent.

Unable to find IPSEC Policy for peer peer-ip

Failed to find an IPSec policy for the specified peer.

peer-ip specifies the IP address of an IKE peer.

One end does not have remote-address configured. Ensure that both ends have remote-address configured.

ERROR - Peer remote-name(remote-name) does not match with

The peer remote-name does not match.

remote-name: specifies the peer name.

The local remote-id and remote-name are inconsistent. Ensure that they are consistent.

Ikev1 error-info record(peer address: peer-address, error reason: error-reason,list number: list-number)

Ikev2 error-info record(peer address: peer-address, error reason: error-reason,list number: list-number)

IKEv1/IKEv2 negotiation failure information.

  • peer-address: indicates the IP address of a peer.
  • error-reason: indicates an IKE negotiation failure reason.
  • list-number: indicates the sequence number.

Rectify faults based on IPSec Fault Cause Reference.

Download
Updated: 2020-06-21

Document ID: EDOC1100086054

Views: 6125

Downloads: 209

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :