How to Troubleshoot Systems When IPsec Is Running

Language:

On running systems that are exchanging or attempting to exchange packets by using IKE, you can use the ikeadm command to view statistics, rules, preshared keys and other things. You can also use the log files and selected tools, such as the Wireshark application.

Investigate the following items:

Verify that the policy and appropriate key management services are enabled.
On the following test system, the manual-key service is being used for key management:
```
% svcs -a  | grep ipsec
online         Feb_04   svc:/network/ipsec/manual-key:default
online         Feb_04   svc:/network/ipsec/ipsecalgs:default
online         Feb_04   svc:/network/ipsec/policy:default
disabled       Feb_28   svc:/network/ipsec/ike:ikev2
disabled       Feb_28   svc:/network/ipsec/ike:default
```
If the service is disabled, enable it.

You can use both IKE services concurrently. You can also use manual keys and IKE concurrently, but this configuration could result in oddities that are difficult to troubleshoot.

View the end of the log file for the IKEv2 service.

# svcs -xL ikev2
svc:/network/ipsec/ike:ikev2 (IKEv2 daemon)
 State: disabled since October  10, 2013 10:10:40 PM PDT
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: in.ikev2d(1M)
   See: /var/svc/log/network-ipsec-ike:ikev2.log
Impact: This service is not running.
   Log:
Oct 01 13:20:20: (1)  Property "debug_level" set to: "op"
Oct 01 13:20:20: (1)  Errors and debug messages will be written to: 
                        /var/log/ikev2/in.ikev2d.log
[ Oct 10 10:10:10 Method "start" exited with status 0. ]
[ Oct 10 10:10:40 Stopping because service disabled. ]
[ Oct 10 10:10:40 Executing stop method (:kill). ]

   Use: 'svcs -Lv svc:/network/ipsec/ike:ikev2' to view the complete log.

(Optional) You can set a temporary value for the debug level of the running daemon.

# ikeadm set debug verbose /var/log/ikev2/in.ikev2d.log
Successfully changed debug level from 0x80000000 to 0x6204
Debug categories enabled:
        Operational / Errors
        Config file processing
        Interaction with Audit
        Verbose Operational

Verify that the output of the ipsecconf command matches the contents of the policy file.

# ipsecconf 
#INDEX 14 
...
{  laddr 10.133.66.222 raddr 10.133.64.77 }
	ipsec   { encr_algs aes(256) encr_auth_algs sha512 sa shared } 
...
{  laddr 10.134.66.122 raddr 10.132.55.55 }
	ipsec   { encr_algs aes(256) encr_auth_algs sha512 sa shared } 

# cat /etc/inet/ipsecinit.conf
...
{  laddr 10.133.66.222 raddr 10.133.64.77 }
	ipsec   { encr_algs aes(256) encr_auth_algs sha512 sa shared } 

{  laddr 10.134.66.122 raddr 10.132.55.55 }
	ipsec   { encr_algs aes(256) encr_auth_algs sha512 sa shared }

Note - Wildcard addresses can obscure a match, so verify that any specific addresses in the ipsecinit.conf file are within the range of wildcard addresses in the output of ipsecconf.

If no output prints for the ipsecconf command, verify that the policy service is enabled and refresh the service.

% svcs policy
STATE          STIME    FMRI
online         Apr_10   svc:/network/ipsec/policy:default

If the output shows an error, edit the ipsecinit.conf file to fix the error then refresh the service.

Validate your IKEv2 configuration.
For configuration output that might require fixing, see Example 11–1 and Example 11–2. The output in the following example indicates that the configuration is valid.
```
# /usr/lib/inet/in.ikev2d -c
Feb 04 12:08:25: (1)    Reading service properties from smf(5) repository.
Feb 04 12:08:25: (1)    Property "config_file" set to: "/etc/inet/ike/ikev2.config"
Feb 04 12:08:25: (1)    Property "debug_level" set to: "all"
Feb 04 12:08:25: (1)    Warning: debug output being written to stdout.
Feb 04 12:08:25: (1)    Checking IKE rule #1: "Test 104 to 113"
Feb 04 12:08:25: (1)    Configuration file /etc/inet/ike/ikev2.config is valid.
Feb 04 12:08:25: (1)    Pre-shared key file /etc/inet/ike/ikev2.preshared is valid.
```
Note - The warning about debug output does not change even after you specify a debug log file. If you specify a value for the debug_logfile service property, the warning means that debug output is being delivered to that file. Otherwise, debug output is delivered to the console.
- In the Checking IKE rule lines, verify that the IKE rules connect the appropriate IP addresses. For example, the following entries match. The laddr value from the ipsecinit.conf file matches the local_addr value from the ikev2.config file, and the remote addresses match.
```
{  laddr 10.134.64.104 raddr 10.134.66.113 }      /** ipsecinit.conf **/
                 ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

	local_addr   10.134.64.104                          /** ikev2.config **/
	remote_addr  10.134.66.113                          /** ikev2.config **/
```
  If the entries do not correspond, fix the configuration to identify the correct IP addresses.
  
  Note - Rules can have wildcard addresses such as 10.134.0.0/16 that cover a range of addresses. Verify the range against specific addresses.
- If the Pre-shared key file line indicates that the file is not valid, fix the file.
  
  Check for typographical errors. Also, in IKEv2, check that the label value in the rule in ikev2.config matches the label value in the ikev2.preshared file. Then, if you are using two keys, verify that the local preshared key on one system matches the remote preshared key on its peer, and that the remote key matches the local key on the peer.
  
  If your configuration still does not work, see Troubleshooting IPsec and IKE Semantic Errors.

Example 11-1 Fixing an Invalid IKEv2 Configuration

In the following output, the lifetime of the IKE SA is too short.

# /usr/lib/inet/in.ikev2d -c
...
May 08 08:52:49: (1)	WARNING: Problem in rule "Test 104 to 113"
May 08 08:52:49: (1)	 HARD lifetime too small (60 < 100)
May 08 08:52:49: (1)	  -> Using 100 seconds (minimum)
May 08 08:52:49: (1)	Checking IKE rule #1: "config 10.134.13.113 to 10.134.13.104"
...

This value has been explicitly set in the ikev2.config file. To remove the warning, change the lifetime value to at least 100 and refresh the service.

# pfedit /etc/inet/ike/ikev2.config
...
## childsa_lifetime_secs   60
childsa_lifetime_secs   100
...
# /usr/lib/inet/in.ikev2d -c
...
# svcadm refresh ikev2

Example 11-2 Fixing a No Matching Rule Message

In the following output, a preshared key is defined but is not used in a rule.

# /usr/lib/inet/in.ikev2d -c
Feb 4 12:58:31: (1)  Reading service properties from smf(5) repository.
Feb 4 12:58:31: (1)  Property "config_file" set to: "/etc/inet/ike/ikev2.config"
Feb 4 12:58:31: (1)  Property "debug_level" set to: "op"
Feb 4 12:58:31: (1)  Warning: debug output being written to stdout.
Feb 4 12:58:31: (1)  Checking IKE rule #1: "Test 104 to 113"
Feb 4 12:58:31: (1)  Configuration file /etc/inet/ike/ikev2.config is valid.
Feb 4 12:58:31: (1)  No matching IKEv2 rule for pre-shared key ending on line 12
Feb 4 12:58:31: (1)  Pre-shared key file /etc/inet/ike/ikev2.preshared is valid.

The output indicates that only one rule exists.

If the rule requires a preshared key, then the label of the preshared key does not match the label of the rule. Fix the ikev2.config rule label and the ikev2.preshared key label to match.
If the rule uses a certificate, then you can remove or comment out the preshared key that ends on line 12 in the ikev2.preshared file to prevent the No matching message.

Example 11-3 Setting a New Debug Level on a Running IKE Daemon

In the following output, debug output is set to all in the ikev2 service.

# /usr/lib/inet/in.ikev2d -c
Feb 4 12:58:31: (1)  Reading service properties from smf(5) repository.
...
Feb 4 12:58:31: (1)  Property "debug_level" set to: "all"
...

If you have completed Step 2 in How to Troubleshoot Systems Before IPsec and IKE Are Running and the debug output is still op rather than all, use the ikeadm command to set the debug level on the running IKE daemon.

# ikeadm set debug_level all