On running systems that are exchanging or attempting to exchange packets by using IKE, you can use the ikeadm command to view statistics, rules, preshared keys and other things. You can also use the log files and selected tools, such as the Wireshark application.
On the following test system, the manual-key service is being used for key management:
$ svcs -a | grep ipsec online Feb_04 svc:/network/ipsec/manual-key:default online Feb_04 svc:/network/ipsec/ipsecalgs:default online Feb_04 svc:/network/ipsec/policy:default disabled Feb_28 svc:/network/ipsec/ike:ikev2 disabled Feb_28 svc:/network/ipsec/ike:default
If the service is disabled, enable it.
You can use both IKE services concurrently. You can also use manual keys and IKE concurrently, but this configuration could result in oddities that are difficult to troubleshoot.
$ svcs -xL ikev2 svc:/network/ipsec/ike:ikev2 (IKEv2 daemon) State: disabled since October 10, 2013 10:10:40 PM PDT Reason: Disabled by an administrator. See: http://support.oracle.com/msg/SMF-8000-05 See: in.ikev2d(8) See: /var/svc/log/network-ipsec-ike:ikev2.log Impact: This service is not running. Log: Oct 01 13:20:20: (1) Property "debug_level" set to: "op" Oct 01 13:20:20: (1) Errors and debug messages will be written to: /var/log/ikev2/in.ikev2d.log [ Oct 10 10:10:10 Method "start" exited with status 0. ] [ Oct 10 10:10:40 Stopping because service disabled. ] [ Oct 10 10:10:40 Executing stop method (:kill). ] Use: 'svcs -Lv svc:/network/ipsec/ike:ikev2' to view the complete log.
# ikeadm set debug verbose /var/log/ikev2/in.ikev2d.log Successfully changed debug level from 0x80000000 to 0x6204 Debug categories enabled: Operational / Errors Config file processing Interaction with Audit Verbose Operational
# ipsecconf #INDEX 14 ... { laddr 192.0.2.12 raddr 192.0.2.17 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared } ... { laddr 192.0.2.66 raddr 192.0.2.77 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared } # cat /etc/inet/ipsecinit.conf ... { laddr 192.0.2.12 raddr 192.0.2.17 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared } { laddr 192.0.2.66 raddr 192.0.2.77 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared }
If no output prints for the ipsecconf command, verify that the policy service is enabled and refresh the service.
$ svcs policy STATE STIME FMRI online Apr_10 svc:/network/ipsec/policy:default
If the output shows an error, edit the ipsecinit.conf file to fix the error then refresh the service.
For configuration output that might require fixing, see Example 41, Fixing an Invalid IKEv2 Configuration and Example 42, Fixing a No matching IKEv2 rule Issue. The output in the following example indicates that the configuration is valid.
# /usr/lib/inet/in.ikev2d -c Feb 04 12:08:25: (1) Reading service properties from smf(5) repository. Feb 04 12:08:25: (1) Property "config_file" set to: "/etc/inet/ike/ikev2.config" Feb 04 12:08:25: (1) Property "debug_level" set to: "all" Feb 04 12:08:25: (1) Warning: debug output being written to stdout. Feb 04 12:08:25: (1) Checking IKE rule #1: "Test 104 to 113" Feb 04 12:08:25: (1) Configuration file /etc/inet/ike/ikev2.config is valid. Feb 04 12:08:25: (1) Pre-shared key file /etc/inet/ike/ikev2.preshared is valid.
In the Checking IKE rule lines, verify that the IKE rules connect the appropriate IP addresses. For example, the following entries match. The laddr value from the ipsecinit.conf file matches the local_addr value from the ikev2.config file, and the remote addresses match.
{ laddr 192.0.2.84 raddr 192.0.2.73 } /** ipsecinit.conf **/ ipsec {encr_algs aes encr_auth_algs sha512 sa shared} local_addr 192.0.2.84 /** ikev2.config **/ remote_addr 192.0.2.73 /** ikev2.config **/
If the entries do not correspond, fix the configuration to identify the correct IP addresses.
If the Pre-shared key file line indicates that the file is not valid, fix the file.
Check for typographical errors. Also, in IKEv2, check that the label value in the rule in ikev2.config matches the label value in the ikev2.preshared file. Then, if you are using two keys, verify that the local preshared key on one system matches the remote preshared key on its peer, and that the remote key matches the local key on the peer.
If your configuration still does not work, see Troubleshooting IPsec and IKE Semantic Errors.
In the following output, the lifetime of the IKE SA is too short.
# /usr/lib/inet/in.ikev2d -c ... May 08 08:52:49: (1) WARNING: Problem in rule "Test 104 to 113" May 08 08:52:49: (1) HARD lifetime too small (60 < 100) May 08 08:52:49: (1) -> Using 100 seconds (minimum) May 08 08:52:49: (1) Checking IKE rule #1: "config 192.0.2.73 to 192.0.2.84" ...
This value has been explicitly set in the ikev2.config file. To remove the warning, change the lifetime value to at least 100 and refresh the service.
# pfedit /etc/inet/ike/ikev2.config ... ## childsa_lifetime_secs 60 childsa_lifetime_secs 100 ... # /usr/lib/inet/in.ikev2d -c ... # svcadm refresh ikev2Example 42 Fixing a No matching IKEv2 rule Issue
In the following output, a preshared key is defined but is not used in a rule.
# /usr/lib/inet/in.ikev2d -c Feb 4 12:58:31: (1) Reading service properties from smf(5) repository. Feb 4 12:58:31: (1) Property "config_file" set to: "/etc/inet/ike/ikev2.config" Feb 4 12:58:31: (1) Property "debug_level" set to: "op" Feb 4 12:58:31: (1) Warning: debug output being written to stdout. Feb 4 12:58:31: (1) Checking IKE rule #1: "Test 104 to 113" Feb 4 12:58:31: (1) Configuration file /etc/inet/ike/ikev2.config is valid. Feb 4 12:58:31: (1) No matching IKEv2 rule for pre-shared key ending on line 12 Feb 4 12:58:31: (1) Pre-shared key file /etc/inet/ike/ikev2.preshared is valid.
The output indicates that only one rule exists.
If the rule requires a preshared key, then the label of the preshared key does not match the label of the rule. Fix the ikev2.config rule label and the ikev2.preshared key label to match.
If the rule uses a certificate, then you can remove or comment out the preshared key that ends on line 12 in the ikev2.preshared file to prevent the No matching message.
In the following output, debug output is set to all in the ikev2 service.
# /usr/lib/inet/in.ikev2d -c Feb 4 12:58:31: (1) Reading service properties from smf(5) repository. ... Feb 4 12:58:31: (1) Property "debug_level" set to: "all" ...
If you have completed Step 2 in How to Troubleshoot Systems Before IPsec and IKE Are Running and the debug output is still op rather than all, use the ikeadm command to set the debug level on the running IKE daemon.
# ikeadm set debug_level allExample 44 Preventing the Loss of IKEv2 Messages From Intermediate Devices
Because intermediate devices are dropping IKEv2 messages, the administrator lowers the fragmentation_mtu value of the ikev2 service.
The administrator displays the values of the fragmentation properties.
$ svcprop ikev2 | grep fragment config/fragmentation_enable boolean true config/fragmentation_mtu integer 1350
After determining the path MTU (maximum transmission unit) between the hosts exchanging IKEv2 packets, the administrator uses that value as the fragmentation_mtu value.
The path MTU is 1330.
$ pfbash svccfg -s ike:ikev2 setprop config/fragmentation_mtu = 1330 # svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2
The administrator refreshes and restarts the service, then verifies the fragmentation value.
$ svcadm refresh ipsec/ike:ikev2; svcadm restart ipsec/ike:ikev2 $ svcprop ikev2 | grep fragment config/fragmentation_enable boolean true config/fragmentation_mtu integer 1330