gw-world:/> ike -tunnels -num=all
In these circumstances, using the option with a small number, for example
-num=10
, is
recommended.
9.8.4. The ike -snoop Command
VPN Tunnel Negotiation
When setting up IPsec tunnels, problems can arise because the initial negotiation fails when the
devices at either end of a VPN tunnel try but fail to agree on which protocols and encryption
methods will be used. The
ike -snoop
console command with the
-verbose
option is a tool that
can be used to identify the source of such problems by showing the details of this negotiation.
Using ike -snoop
The
ike -snoop
command can be entered via a CLI console connected via a network connection
or directly via the local console.
To begin monitoring the full command is:
gw-world:/> ike -snoop
This means that the output will be sent to the console for every VPN tunnel IKE negotiation. The
output can be overwhelming so to limit the output to a single IP address, for example the IP
address
10.1.1.10
, the command would be:
gw-world:/> ike -snoop 10.1.1.10
the IPv4 address used is the IP address of the VPN tunnel's remote endpoint (either the IP of the
remote endpoint or the client IP). To turn off monitoring, the command is:
gw-world:/> ike -snoop -off
By default,
ike -snoop
always creates the most verbose output. It is possible to reduce this output
volume by using the
-brief
option. However, this may not provide sufficient detail to identify
problems. All the
ike
command options can be found in the separate
CLI Reference Guide
.
The output from
ike -snoop
can be troublesome to interpret by an administrator seeing it for the
first time. Presented below, is some typical
ike -snoop
output with annotations to explain it. The
tunnel negotiation considered is based on pre-shared Keys. A negotiation based on certificates is
not discussed here but the principles are similar.
The Client and the Server
The two parties involved in the tunnel negotiation are referred to in this section as the
client
and
server
. In this context, the word "
client
" is used to refer to the device which is the
initiator
of the
negotiation and the
server
refers to the device which is the
responder
.
Step 1. Client Initiates Exchange by Sending a Supported Algorithm List
The
verbose
option output initially shows the proposed list of algorithms that the client first
Chapter 9: VPN
764
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...