IPsec VPN抓包诊断命令-叫我小火柴-51CTO博客
source link: http://blog.51cto.com/abnerhuang/2067351
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
(FortiGate)飞塔防火墙IPsec ***抓包诊断命令
① sniffer抓包确认UDP 500/4500 双方通信是否正常
diagnose sniffer packet any "host 119.201.75.34 and ( port 500 or port 4500)" 4
(这里IP119.201.75.34指的是对方公网IP。UDP 500 或 UDP 4500 这两个端口是IPsec ***协商协议IKE会使用的端口,一定要互通要通畅,否则***无法正常建立,确认互通正常在进行下一步定位)
② 通过日志,diagnose debug application ike 确认问题是出在第一阶段还是第二阶段
diagnose *** ike log-filter name SZFT // 第一阶段名称
diagnose *** ike log-filter dst-addr4 119.201.75.34 //IP换成对方公网IP
diagnose debug console timestamp enable //开启时间标签
diagnose debug application ike -1 //匹配ike数据
diagnose debug enable //开启抓包命令
diagnose debug application ike 0 // 关闭debug
diagnose debug disable //关闭debug
diagnose debug reset //关闭debug
注意事项:diagnose debug application ike的时候要注意,自己不要主动发起连接,需要把第一阶段/第二阶段的自动协商关闭
关掉一阶段第二阶段的自动协商(以下是接口模式***关闭自动协商的配置命令)
TEST_1000D# config *** ipsec phase1-interface
TEST_1000D (phase1-interface) # edit ***
TEST_1000D (***) # set auto-negotiate disable
TEST_1000D (***) # end
TEST_1000D # config *** ipsec phase2-interface
TEST_1000D (phase1-interface) # edit ***
TEST_1000D (***) # set auto-negotiate disable
TEST_1000D (***) # end
有时候需要重置IPsec ***的连接:
diagnose *** ike filter name *** // 第一阶段名称
diagnose *** ike restart //重新主动发起连接
diagnose *** tunnel reset //重置第二阶段
重置IPsec ***通道,有VDOM的情况下:
TEST_1000D # config vdom
TEST_1000D (vdom) # edit root (进入具体的VDOM,这里我们假设为root域)
TEST_1000D (root) #diagnose *** ike filter name *** (这里***指的是具体的隧道名称)
TEST_1000D (root) # diagnose *** tunnel reset
TEST_1000D (root) # diagnose *** ike restart
查看IPsec ***状态命令:
diagnose *** ike gateway list
diagnose *** tunnel list
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK