Payload Type = SA Next Payload = ISAKMP_NEXT_VID Payload Length = 0x94 DOI = 0x1 Situation = 0x1

Transcription

1 How can you analyze VPN IPSec Log? Here we take an example with brief description to teach you how to read the IPSec log of Vigor router, so that you may be able to do some basic troubleshooting by yourself. The IPSec protocol is complicated and it is hard to explain clearly with simple words. Therefore, if you have problems on resolving an IPSec issue by yourself, please do not hesitate to contact us and offer the VPN log. VPN is initiated from Vigor5500 to Vigor2820. Please connect VPN. Type the command log -wt by using Telnet. You may get the following output. Please note that ++++> indicates connection direction (data transmission) is from local to remote <++++ indicates connection direction (data transmission) is from remote to local Password: ******************** Type? for command help > log -wt 0:00: >IKE Len = 296 I Cookie=0xb9 f0 0c 1a a2 e6 89 db, R Cookie=0x Next Payload = ISAKMP_NEXT_SA Payload Type = SA Payload Length = 0x94 Situation = 0x1 Proposal #0x0, Protocol Id = 0x1, SPI Size = 0x0, Number of Transforms = 0x4 Transform #0x0, Transform ID = 0x1, Length = 0x18 Transform #0x1, Transform ID = 0x1, Length = 0x

2 Transform #0x2, Transform ID = 0x1, Length = 0x Transform #0x3, Transform ID = 0x1, Length = 0x VID Data = 0xaf ca d a1 f1 c9 6b fc VID Data = 0x4a 13 1c c f2 0e f VID Data = 0x7d a ca 6f 2c 17 9d d 56 VID Data = 0x90 cb e bb 69 6e b5 ec 42 7b 1f VID Data = 0xcd df 21 f8 7c fd b2 fc 68 b6 a4 48 VID Data = 0x d 18 b6 bb cd 0b e8 a dd cc 0:00: <++++IKE Len = 120 Next Payload = ISAKMP_NEXT_SA Payload Type = SA Payload Length = 0x34 Situation = 0x1 Proposal #0x0, Protocol Id = 0x1, SPI Size = 0x0, Number of Transforms = 0x1 Transform #0x0, Transform ID = 0x1, Length = 0x18 2

3 VID Data = 0xaf ca d a1 f1 c9 6b fc VID Data = 0x4a 13 1c c f2 0e f 0:00: >IKE Len = 188 Next Payload = ISAKMP_NEXT_KE Payload Type = KEY EX Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x64 Key = 0x30 da 16 b0 e0 50 5f c ce 8e 0c 42 2c bd 96 7e b7 29 e1 7d b5 16 e2 73 fe d4 6d a9 de c f3 71 5c a5 3d 2f 18 e3 1c 7e fa 09 b4 3d 9f d ac d2 2e c 55 e b8 0c 32 c9 8c 05 9a eb 72 c9 e3 2a 3f Payload Type= NONCE Next Payload = ISAKMP_NEXT_NAT-D Nonce = 0x a 4e d1 13 b4 05 ae 83 6e e 5f 60 Payload Type= NAT-D Next Payload = ISAKMP_NEXT_NAT-D NAT-D Length = 0x14 NAT-D = 0xf5 33 e5 65 ef d4 e8 4e da 2a e8 c1 10 cc Payload Type= NAT-D NAT-D Length = 0x14 NAT-D = 0x3f bd b9 1e 37 fd a7 a2 41 a7 85 0:00: <++++IKE Len = 188 Next Payload = ISAKMP_NEXT_KE Payload Type = KEY EX Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x64 Key = 0x33 cb 5a bf 6b 3b 49 4d 32 af 60 2f 9e 8f 9c 86 f3 b9 ce 55 9e e5 a8 6a 9f 3d 3c 25 d8 2a a7 de 21 df f0 31 aa 6d 22 c b0 4f ba d0 ca f cb d6 74 c6 06 d9 0e ce bc 02 a7 0a fa 49 ad c5 3f b0 a7 ed ed 4e 9d ec e 4b b d6 82 f9 f9 d9 3

4 Payload Type= NONCE Next Payload = ISAKMP_NEXT_NAT-D Nonce = 0x a 64 e9 2c 4e 60 e9 ae d 5a 69 f1 Payload Type= NAT-D Next Payload = ISAKMP_NEXT_NAT-D NAT-D Length = 0x14 NAT-D = 0x3f bd b9 1e 37 fd a7 a2 41 a7 85 Payload Type= NAT-D NAT-D Length = 0x14 NAT-D = 0xf5 33 e5 65 ef d4 e8 4e da 2a e8 c1 10 cc 0:00: >IKE Len = 88 Next Payload = ISAKMP_NEXT_HASH Payload Length = 0xc ID Type = 0x01 ID = 0xda f Next Payload = ISAKMP_NEXT_N Hash = 0x9e dc ff 64 f7 26 fa e 8b f0 9c ca 6c 40 Payload Type = NOTIFICATION Payload Length = 0x1c 1, SPI SIZE = 0x10, Message Type = 0x6002 SPI = b9 f0 0c 1a a2 e6 89 db b5 7f b d Notification Data = 0:00: <++++IKE Len = 92 Next Payload = ISAKMP_NEXT_HASH Payload Length = 0xc ID Type = 0x01 ID = 0xdc 80 e6 79 Next Payload = ISAKMP_NEXT_N Hash = 0x f c0 3e 20 eb fa 6a 9f f f9 4

5 Payload Type = NOTIFICATION Payload Length = 0x1c 1, SPI SIZE = 0x10, Message Type = 0x6002 SPI = b9 f0 0c 1a a2 e6 89 db b5 7f b d Notification Data = 0:00: >IKE Len = 172 Next Payload = ISAKMP_NEXT_HASH 0 Message ID = 0xeca88777 Next Payload = ISAKMP_NEXT_SA Hash = 0x90 fc 3b 5d 7e 7f 8f 5d a 29 ac d9 3b 1c Payload Type = SA Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x48 Situation = 0x1 Proposal #0x0, Protocol Id = 0x3, SPI Size = 0x4, Number of Transforms = 0x2 SPI = f0 ac 8b 7b Transform #0x0, Transform ID = 0x2, Length = 0x Transform #0x1, Transform ID = 0x2, Length = 0x Payload Type= NONCE Nonce = 0xf4 b0 8f 7f f7 34 d3 23 cb a0 8b 81 7c 7a 7b fc Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 0:00: <++++IKE Len = 148 Next Payload = ISAKMP_NEXT_HASH 0 5

6 Message ID = 0xeca88777 Next Payload = ISAKMP_NEXT_SA Hash = 0xa9 03 b5 1a f2 21 c6 fe ab 9a 5d ed 65 Payload Type = SA Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x30 Situation = 0x1 Proposal #0x0, Protocol Id = 0x3, SPI Size = 0x4, Number of Transforms = 0x1 SPI = 31 4b 59 2d Transform #0x0, Transform ID = 0x2, Length = 0x Payload Type= NONCE Nonce = 0xc6 a1 8f fb c0 a3 15 4e 6b 7a 02 Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 0:00: >IKE Len = 48 I Cookie=0xb9 f0 0c 1a a2 e6 89 db, R Cookie=0x28 04 b5 7f b d Next Payload = ISAKMP_NEXT_HASH 0 Message ID = 0xeca88777 > Hash = 0x19 2c 30 c d0 e0 64 a0 16 de ac IPSec SA Creation Phases There are two phases on the IPsec SA creation. Phase 1 is to create IKE-SA, and phase 2 is to create IPSEC-SA. Phase 1 creates a security tunnel to protect phase2. Phase 2 is protected by phase 1. 6

7 Phase 1: Create IKE-SA. There are two modes on this phase, the major is main mode, which includes six messages; 1&2: to negotiate the security policy, 1. Initiator sends all type of policies supported to remote end, and if remote end searches any one of them that support too, it will respond to the initiator. The policies include authentication method, PSK or MD5, hash- algorithm, MD5 or SHA, encryption algorithm: DES or 3DES; SA life time (duration) x seconds; 3&4: to exchange the DH and key and create the key 5&6: two messages have been protected by key ID for authentication for each other; Phase 2: create IPSEC-SA. 1, negotiate the IPSEC-protocol: ESP or AH; IPSec-mode: tunnel or transport; hash-algorithm: MD5 or SHA; 2, ACK and ACK too. Example An example of an IPSec exchange using NAT-Traversal in Main Mode is shown as below: Phase I Initiator Responder HDR, SA, VID > (refer to 1 st log) (refer to 2 nd log) < HDR, SA, VID HDR, KE, Ni, NAT-D, NAT-D > (refer to 3 rd log) (refer to 4 th log) < HDR, KE, Nr, NAT-D, NAT-D HDR*#, IDii, > (refer to 5 th log) (refer to 6 th log) < HDR*#, IDir, Quick Mode ( Phase II ) HDR*, HASH(1), SA, Ni, [KE] [ IDci, IDcr ] > (refer to 7 th log) (refer to 8 th log) < HDR*, HASH(2), SA, Nr,[ KE ] [ IDci, IDcr ]HDR*, HASH(3) > (refer to 9 th log) Explanation: 1 st Log: 0:00: >IKE Len = 296 I Cookie=0xb9 f0 0c 1a a2 e6 89 db, R Cookie=0x Next Payload = ISAKMP_NEXT_SA Payload Type = SA 7

8 Payload Length = 0x94 Situation = 0x1 Proposal #0x0, Protocol Id = 0x1, SPI Size = 0x0, Number of Transforms = 0x4 Transform #0x0, Transform ID = 0x1, Length = 0x18 Transform #0x1, Transform ID = 0x1, Length = 0x Transform #0x2, Transform ID = 0x1, Length = 0x Transform #0x3, Transform ID = 0x1, Length = 0x VID Data = 0xaf ca d a1 f1 c9 6b fc VID Data = 0x4a 13 1c c f2 0e f VID Data = 0x7d a ca 6f 2c 17 9d d 56 VID Data = 0x90 cb e bb 69 6e b5 ec 42 7b 1f VID Data = 0xcd df 21 f8 7c fd b2 fc 68 b6 a4 48 8

9 VID Data = 0x d 18 b6 bb cd 0b e8 a dd cc In which, ++++> indicates connection direction is from local to remote I Cookie=0xb9 f0 0c 1a a2 e6 89 db, R Cookie=0x R Cookie=0x indicates it is the first message sent by the initiator. Above is a proposal, which designates the following parameters: Encryption Algorithm is DES, Hash Algorithm is MD5, Authentication Method is Preshared key, DH Group 1, Lifetime is 900 seconds. The Vendor ID Payloads indicate the following protocols are supported: Dead Peer Detection, NAT-T rfc 3947, NAT-T draft 03, NAT-T draft 02, NAT-T draft 02, NAT-T draft 00. Summary: The first log with direction ++++> and R Cookie equal to all 0s indicates that the router itself is the initiator of the connection. It brings 4 proposals, which is set up in the Advanced window. 9

10 2 nd Log: 0:00: <++++IKE Len = 120 Next Payload = ISAKMP_NEXT_SA Payload Type = SA Payload Length = 0x34 Situation = 0x1 Proposal #0x0, Protocol Id = 0x1, SPI Size = 0x0, Number of Transforms = 0x1 Transform #0x0, Transform ID = 0x1, Length = 0x18 10

11 VID Data = 0xaf ca d a1 f1 c9 6b fc VID Data = 0x4a 13 1c c f2 0e f In which, <++++ indicates connection direction is from remote to local The successive messages in the same IPSec session all use the same I Cookie and R Cookie pair. The initiator sends 4 proposals and the responder accepts one proposal with the following parameters: Encryption Algorithm is DES, Hash Algorithm is MD5, Authentication Method is Pre-shared key, DH Group 1, Lifetime is 900 seconds. The Vendor ID Payloads indicate the following protocol is accepted by the responder. Dead Peer Detection and NAT-T rfc Summary: The second log with direction <++++ indicates that the remote VPN gateway has acknowledged one of the proposals proposed by the initiator. If you cannot see the message in the log, it might be: 1. The responder doesn t agree with any of the proposals. Please make sure the relevant settings in both sides match with each other. 2. The responder doesn t receive the proposals. Please check if the remote gateway is available and IPSec service is activated or not. 3 rd & 4 th log: 0:00: >IKE Len = 188 Next Payload = ISAKMP_NEXT_KE 11

12 Payload Type = KEY EX Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x64 Key = 0x30 da 16 b0 e0 50 5f c ce 8e 0c 42 2c bd 96 7e b7 29 e1 7d b5 16 e2 73 fe d4 6d a9 de c f3 71 5c a5 3d 2f 18 e3 1c 7e fa 09 b4 3d 9f d ac d2 2e c 55 e b8 0c 32 c9 8c 05 9a eb 72 c9 e3 2a 3f Payload Type= NONCE Next Payload = ISAKMP_NEXT_NAT-D Nonce = 0x a 4e d1 13 b4 05 ae 83 6e e 5f 60 Payload Type= NAT-D Next Payload = ISAKMP_NEXT_NAT-D NAT-D Length = 0x14 NAT-D = 0xf5 33 e5 65 ef d4 e8 4e da 2a e8 c1 10 cc Payload Type= NAT-D NAT-D Length = 0x14 NAT-D = 0x3f bd b9 1e 37 fd a7 a2 41 a7 85 0:00: <++++IKE Len = 188 Next Payload = ISAKMP_NEXT_KE Payload Type = KEY EX Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x64 Key = 0x33 cb 5a bf 6b 3b 49 4d 32 af 60 2f 9e 8f 9c 86 f3 b9 ce 55 9e e5 a8 6a 9f 3d 3c 25 d8 2a a7 de 21 df f0 31 aa 6d 22 c b0 4f ba d0 ca f cb d6 74 c6 06 d9 0e ce bc 02 a7 0a fa 49 ad c5 3f b0 a7 ed ed 4e 9d ec e 4b b d6 82 f9 f9 d9 Payload Type= NONCE Next Payload = ISAKMP_NEXT_NAT-D Nonce = 0x a 64 e9 2c 4e 60 e9 ae d 5a 69 f1 Payload Type= NAT-D Next Payload = ISAKMP_NEXT_NAT-D 12

13 NAT-D Length = 0x14 NAT-D = 0x3f bd b9 1e 37 fd a7 a2 41 a7 85 Payload Type= NAT-D NAT-D Length = 0x14 NAT-D = 0xf5 33 e5 65 ef d4 e8 4e da 2a e8 c1 10 cc In these two messages, pre-shared key are exchanged and checked. If you cannot see the 4 th message, it is probably that the pre-shared keys set in both sides don t match with each other. The NAT-D payloads are used to detect which VPN gateway is behind a NATed device. 5 th & 6 th log: 0:00: >IKE Len = 88 Next Payload = ISAKMP_NEXT_HASH Payload Length = 0xc ID Type = 0x01 ID = 0xda f Next Payload = ISAKMP_NEXT_N Hash = 0x9e dc ff 64 f7 26 fa e 8b f0 9c ca 6c 40 Payload Type = NOTIFICATION Payload Length = 0x1c 1, SPI SIZE = 0x10, Message Type = 0x6002 SPI = b9 f0 0c 1a a2 e6 89 db b5 7f b d Notification Data = 0:00: <++++IKE Len = 92 13

14 Next Payload = ISAKMP_NEXT_HASH Payload Length = 0xc ID Type = 0x01 ID = 0xdc 80 e6 79 Next Payload = ISAKMP_NEXT_N Hash = 0x f c0 3e 20 eb fa 6a 9f f f9 Payload Type = NOTIFICATION Payload Length = 0x1c 1, SPI SIZE = 0x10, Message Type = 0x6002 SPI = b9 f0 0c 1a a2 e6 89 db b5 7f b d Notification Data = In these two messages, ID payload is exchanged and checked. In main mode, the real WAN IP address of the router itself is set as local ID. If you cannot see the 6 th message, it is probably that the IP address is not accepted by remote VPN gateway. ID = 0xda f (Hex format) (Decimal format) ID = 0xdc 80 e6 79 (Hex format) (Decimal format) Upon seeing the 6 th message, the ISAKMP SA is successfully created. Next, the connection will proceed to the Quick mode. 7 th message: 0:00: >IKE Len = 172 Next Payload = ISAKMP_NEXT_HASH 0 Message ID = 0xeca88777 Next Payload = ISAKMP_NEXT_SA Hash = 0x90 fc 3b 5d 7e 7f 8f 5d a 29 ac d9 3b 1c Payload Type = SA Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x48 Situation = 0x1 14

15 Proposal #0x0, Protocol Id = 0x3, SPI Size = 0x4, Number of Transforms = 0x2 SPI = f0 ac 8b 7b Transform #0x0, Transform ID = 0x2, Length = 0x Transform #0x1, Transform ID = 0x2, Length = 0x Payload Type= NONCE Nonce = 0xf4 b0 8f 7f f7 34 d3 23 cb a0 8b 81 7c 7a 7b fc Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 Transform ID = 0x2 The transform ID stands for the Encryption Algorithm. 0x2 means ESP_DES Above is one proposal, which designates the following parameters: Hash Algorithm is SHA1, Encapsulation Mode is Tunnel, Lifetime is 600 seconds. \ The setup can be modified in the Advanced window. 15

16 ID = 0xac ff ff ff 00 Local Subnet: / ID = 0xac ff ff ff 00 Remote Subnet: / The Local Subnet is defined in the LAN >> General Setup page and 1st IP Address/Subnet field. The Remote Subnet is defined in the VPN profile. Make sure in Remote Network IP field you enter the network IP address of remote subnet, not a usable IP address within remote subnet. 8 th message: 16

17 0:00: <++++IKE Len = 148 Next Payload = ISAKMP_NEXT_HASH 0 Message ID = 0xeca88777 Next Payload = ISAKMP_NEXT_SA Hash = 0xa9 03 b5 1a f2 21 c6 fe ab 9a 5d ed 65 Payload Type = SA Next Payload = ISAKMP_NEXT_NONCE Payload Length = 0x30 Situation = 0x1 Proposal #0x0, Protocol Id = 0x3, SPI Size = 0x4, Number of Transforms = 0x1 SPI = 31 4b 59 2d Transform #0x0, Transform ID = 0x2, Length = 0x Payload Type= NONCE Nonce = 0xc6 a1 8f fb c0 a3 15 4e 6b 7a 02 Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 Payload Length = 0x10 ID Type = 0x04 ID = 0xac ff ff ff 00 The initiator sends 2 proposals and the responder accepts one proposal with the following parameters: 17

18 ESP_DES, Hash Algorithm is SHA1, Encapsulation Mode is Tunnel, Lifetime is 600 seconds. Also the responder sends its ID information. Summary: If you don t see the 8 th message, or you see this message but the information contained in it shows being encrypted, it is probably the relevant parameters set in both routers don t match with each other. For example, the PFS(Perfect Forward Secret) is enabled in one side and disabled in the other side; local ID or remote ID configuration exceeds the range allowed in the other side. 9 th message 0:00: >IKE Len = 48 Next Payload = ISAKMP_NEXT_HASH 0 Message ID = 0xeca88777 Hash = 0x19 2c 30 c d0 e0 64 a0 16 de ac Upon seeing the 9 th message, the IPSec SA is successfully created. The ISPec connection is successfully established. Note: For detailed information, please refer to documents for RFC