Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to Prepare IPsec and IKE Systems for Troubleshooting

Before you enable IPsec and its key management services, you can set up your system with logs and tools that aid in troubleshooting.

  1. Locate the logs for the IPsec and IKEv2 services.

    The –L option provides the full path to the logs. These logs contain information messages as well as error messages.

    % svcs -L policy
    /var/svc/log/network-ipsec-policy:default.log
    
    % svcs -L ikev2
    /var/svc/log/network-ipsec-ike:ikev2.log
  2. Configure a debug log file for IKEv2.

    The root role can read these logs.

    % svccfg -s ikev2 listprop | grep debug
    config/debug_level             astring     op
    config/debug_logfile           astring     /var/log/ikev2/in.ikev2d.log

    The levels of debugging are described in the ikeadm(1M) man page. The values verbose and all are useful when troubleshooting.

  3. (Optional) Configure the debug level.

    The following command sets the debug level permanently. To set the debug level temporarily, see Example 55, Setting a New Debug Level on a Running IKE Daemon.

    # svccfg -s ikev2 setprop config/debug_level = all

    If the ikev2 service is enabled, it must be refreshed to use the new debug level.

    # svcadm refresh ikev2
  4. (Optional) Install the wireshark package.

    The Wireshark application can read snoop output.

    % pkg info -r wireshark
              Name: diagnostic/wireshark
           Summary: Graphical network protocol analyzer
          Category: Applications/Internet
             State: Not installed
         Publisher: solaris
    ...
              FMRI: pkg://solaris/diagnostic/wireshark@version
    # pkg install diagnostic/wireshark