Before you enable IPsec and its key management services, you can set up your system with logs and tools that aid in troubleshooting.
The –L option provides the full path to the logs. These logs contain information messages as well as error messages.
% svcs -L policy /var/svc/log/network-ipsec-policy:default.log % svcs -L ikev2 /var/svc/log/network-ipsec-ike:ikev2.log
The root role can read these logs.
% svccfg -s ikev2 listprop | grep debug config/debug_level astring op config/debug_logfile astring /var/log/ikev2/in.ikev2d.log
The levels of debugging are described in the ikeadm(1M) man page. The values verbose and all are useful when troubleshooting.
The following command sets the debug level permanently. To set the debug level temporarily, see Example 55, Setting a New Debug Level on a Running IKE Daemon.
# svccfg -s ikev2 setprop config/debug_level = all
If the ikev2 service is enabled, it must be refreshed to use the new debug level.
# svcadm refresh ikev2
The Wireshark application can read snoop output.
% pkg info -r wireshark Name: diagnostic/wireshark Summary: Graphical network protocol analyzer Category: Applications/Internet State: Not installed Publisher: solaris ... FMRI: pkg://solaris/diagnostic/wireshark@version # pkg install diagnostic/wireshark