Ipsec debug, Figure 474 ike/ipsec debug example – ZyXEL Communications 70 Series User Manual

ZyWALL 5/35/70 Series User’s Guide

Appendix K VPN Setup

740

IPSec Debug

If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced
users may wish to examine the IPSec debug feature (Menu 24.8).

Note: If any of your VPN rules have an active network policy set to nailed-up, using

the IPSec debug feature may cause the ZyWALL to continuously display new
information. Type

ipsec debug level 0

and press [ENTER] to stop it.

Figure 474 IKE/IPSec Debug Example

ras> ipsec debug
type level display
ras> ipsec debug type
<0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off |
4:XAUTH on|off | 5:CERT on|off | 6: All>
ras> ipsec debug level
<0:None | 1:User | 2:Low | 3:High>

ras> ipsec debug type 1 on
ras> ipsec debug type 2 on
ras> ipsec debug level 3

ras> ipsec dial 1
get_ipsec_sa_by_policyIndex():
Start dialing for tunnel <rule# 1>...
ikeStartNegotiate(): saIndex<0>
peerIp<5.1.2.3> protocol: <IPSEC_ESP>(3)

peer Ip <5.1.2.3> initiator(): type<IPSEC_ESP>, exch<Main>

initiator :
protocol: IPSEC_ESP, exchange mode: Main mode find_ipsec_sa():
find ipsec saNot found

Not found isadb_is_outstanding_req():
isakmp is outstanding req : SA not found
isadb_create_entry(): >> INITIATOR

isadb_get_entry_by_addr():
Get IKE entry by address: SA not found

SA not found ISAKMP SA created for peer <BRANCH> size<900>

ISAKMP SA created for peer <BRANCH> size<900> ISAKMP SA built,
ikePeer.s0

ISAKMP SA built, index = 0isadb_create_entry(): done

create IKE entry doneinitiator(): find myIpAddr = 0.0.0.0, use
<5.6.7.8> r