Manual Chapter :
Verifying IPsec connectivity for dynamic template tunnel mode
Applies To:
Show Versions
BIG-IP APM
- 17.5.0, 17.1.2, 17.1.1, 17.1.0
BIG-IP Link Controller
- 17.5.0, 17.1.2, 17.1.1, 17.1.0
BIG-IP LTM
- 17.5.0, 17.1.2, 17.1.1, 17.1.0
BIG-IP AFM
- 17.5.0, 17.1.2, 17.1.1, 17.1.0
BIG-IP ASM
- 17.5.0, 17.1.2, 17.1.1, 17.1.0
Verifying IPsec connectivity for dynamic template tunnel mode
After you have configured an IPsec tunnel and before you configure additional functionality, you can verify that the tunnel is passing traffic.
Only data traffic matching the traffic selector triggers the establishment of the tunnel.
- Access thetmshcommand-line utility.
- Before sending traffic, type this command at the prompt.tmsh modify net ipsec ike-daemon ikedaemon log-level debugThis command increases the logging level to display the messages that you want to view.
- Send data traffic to the destination IP address specified in the traffic selector.
- To verify the establishment of dynamic negotiated Security Associations (SAs), type this command at the prompt.tmsh show net ipsec ipsec-saFor each tunnel, the output displays IP addresses for two IPsec SAs, one for each direction. Following is an example:IPsec::SecurityAssociations 192.168.44.1 -> 3.3.3.3 SPI(0x7b438626) in esp (tmm: 6) 3.3.3.3 -> 192.168.44.1 SPI(0x5e52a1db) out esp (tmm: 5)
- To display the details of the dynamic negotiated Security Associations (SAs), type this command at the prompt.tmsh show net ipsec ipsec-sa all-propertiesFor each tunnel, the output displays the details for the IPsec SAs. Following is an example:IPsec::SecurityAssociations 3.3.3.3 -> 192.168.44.1 ----------------------------------------------------------------------------- tmm: 2 Direction: out; SPI: 0x6be3ff01(1810104065); ReqID: 0x9b0a(39690) Protocol: esp; Mode: tunnel; State: mature Authenticated Encryption : aes-gmac128 Current Usage: 307488 bytes Hard lifetime: 94 seconds; unlimited bytes Soft lifetime: 34 seconds; unlimited bytes Replay window size: 64 Last use: 12/13/2022:10:42 Create: 12/13/2022:10:39
- To display the details of the IKE-negotiated SAs (IKEv2), type this command at the prompt.tmsh show net ipsec ike-sa all-properties
- Check the IPsec statistics by typing this command at the prompt.tmsh show net ipsec-statIf traffic is passing through the IPsec tunnel, the statistics will increment. Following is an example output:slot tmm mode proto in_encr.packets out_plain.packets in_encr.bytes ---- --- --------- ----- --------------- ----------------- ------------- 0 0 TRANSPORT AH 0 0 0 0 0 TRANSPORT ESP 0 0 0 0 0 TUNNEL AH 0 0 0 0 0 TUNNEL ESP 0 0 0 0 1 TRANSPORT AH 0 0 0 0 1 TRANSPORT ESP 0 0 0 0 1 TUNNEL AH 0 0 0 0 1 TUNNEL ESP 0 0 0 0 2 TRANSPORT AH 0 0 0 0 2 TRANSPORT ESP 0 0 0 0 2 TUNNEL AH 0 0 0 0 2 TUNNEL ESP 56169 56169 7638984 0 3 TRANSPORT AH 0 0 0 0 3 TRANSPORT ESP 0 0 0 0 3 TUNNEL AH 0 0 0 0 3 TUNNEL ESP 0 0 0
- If the SAs are established, but traffic is not passing, type one of these commands at the prompt.
tmsh delete net ipsec ike-sa (IKEv2)This action deletes the IPsec tunnels. Sending new traffic triggers SA negotiation and establishment. - If traffic is still not passing, type this command at the prompt.racoonctl flush-sa isakmpThis action brings down the control channel. Sending new traffic triggers SA negotiation and establishment.
- View the/var/log/racoon.logto verify that the IPsec tunnel is up.Following are examples of the messages:2022-06-29 16:45:13: INFO: ISAKMP-SA established 10.100.20.3[500]-165.160.15.20[500] spi:3840191bd045fa51:673828cf6adc5c61 2022-06-29 16:45:14: INFO: initiate new phase 2 negotiation: 10.100.20.3[500]<=>165.160.15.20[500] 2022-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 165.160.15.20[0]->10.100.20.3[0] spi=2403416622(0x8f413a2e) 2022-06-29 16:45:14: INFO: IPsec-SA established: ESP/Tunnel 10.100.20.3[0]->165.160.15.20[0] spi=4573766(0x45ca46
- To turn on IKEv2 logging on a production build, complete these steps.If you are using IKEv2, you can skip these steps; the BIG-IP system enables IPsec logging by default.
- Configure the log publisher for IPsec to use.% tmsh create sys log-config publisher ipsec { destinations add { local-syslog }} % tmsh list sys log-config publisher ipsec sys log-config publisher ipsec { destinations { local-syslog { } } }
- Attach the log publisher to theike-daemonobject.tmsh modify net ipsec ike-daemon ikedaemon log-publisher ipsec
- For protocol-level troubleshooting, you can increase the debug level by typing this command at the prompt.tmsh modify net ipsec ike-daemon ikedaemon log-level debug2Use this command only for debugging. It creates a large log file, and can slow the tunnel negotiation.Using this command flushes existing SAs.
- After you view the results, return the debug level to normal to avoid excessive logging by typing this command at the prompt.tmsh modify net ipsec ike-daemon ikedaemon log-level infoUsing this command flushes existing SAs.
