Login
- Table of Contents
-
- 07-System
- 01-High availability group
- 02-VRRP
- 03-Track
- 04-BFD
- 05-NQA
- 06-Basic log settings
- 07-Email server
- 08-Session log settings
- 09-NAT log settings
- 10-AFT log settings
- 11-Sandbox log settings
- 12-Threat log settings
- 13-Application audit log settings
- 14-NetShare log settings
- 15-URL filtering log settings
- 16-Attack defense log settings
- 17-Reputation log settings
- 18-Bandwidth alarm logs
- 19-Configuration log settings
- 20-Security policy log
- 21-Terminal identification logging
- 22-Heartbeat log settings
- 23-WAF log settings
- 24-IP access logs
- 25-MAC access log
- 26-Load balancing logging
- 27-Bandwidth management logs
- 28-Context rate limit logging
- 29-Zero trust logs
- 30-Report settings
- 31-Session settings
- 32-Signature upgrade
- 33-Software upgrade
- 34-License management
- 35-IRF
- 36-IRF advanced settings
- 37-Contexts
- 38-Administrators
- 39-Date and time
- 40-MAC address learning through a Layer 3 device
- 41-SNMP
- 42-Configuration management
- 43-Reboot
- 44-About
- 45-Ping
- 46-Tracert
- 47-Packet capture
- 48-Webpage Diagnosis
- 49-Diagnostic Info
- 50-Packet trace
- 51-Load balancing test
- 52-IPsec diagnosis
- 53-Fast Internet Access
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 52-IPsec diagnosis | 98.32 KB |
Introduction
IPsec diagnosis can detect the status of IPsec connections. If the diagnosed IPsec connection is faulty, you can use the diagnosis results to check for misconfigurations and find possible causes.
The following diagnosis modes are supported:
· Data flow—The system obtains the IPsec policy according to the specified data flow to initiate diagnosis of IPsec with the peer.
· Interface—The system obtains the IPsec policy according to the specified interface to initiate diagnosis of IPsec with the peer.
· IP address—The system starts diagnosis of IPsec with the peer (specified by its IP address) after the peer initiates the IPsec connection.
Table 1 IPsec diagnosis items
|
Item |
Description |
|
IPsec peer reachability |
Determines whether a route to the peer IP address exists in the routing table. |
|
Interface state |
Determines the physical layer status and IP protocol layer status of the interface. The system determines the interface to check according to the diagnosis mode: · In data flow and IP address modes, the outgoing interface found through routing table lookup is checked. · In interface mode, the interface specified by the user is checked. |
|
If IPsec policy applied on interface |
Determines whether an IPsec policy is applied to the interface. |
|
If ACL rule in IPsec policy matches specified flow |
This item is available only for IPsec diagnosis in data flow mode. Check the IPsec policy configuration if this item displays No. |
|
If ACL rule can match flow on the interface |
This item is available only for IPsec diagnosis in interface mode. This item shows whether the ACL used in the IPsec policy contains permit rules to identify traffic that needs IPsec protection. The permit rules are required for IPsec to operate correctly. |
|
IPsec policy configuration check |
Checks if the IPsec policy configuration is complete. · In data flow or interface mode, the following settings are checked: ¡ ACL used to identify the traffic to be protected. ¡ Security parameters for IPsec SA negotiation. ¡ Local and remote IP addresses of the IPsec tunnel. ¡ SA parameters. · In IP address mode, the following settings are checked: ¡ Security parameters for IPsec SA negotiation. ¡ SA parameters. |
|
IKE negotiation result |
If the IKE negotiation is operating correctly, this item displays IKE negotiation succeeded or IKE SA already exists. Any other information indicates that the IKE negotiation is faulty. Follow the instructions to find the cause. For example, verify that the local end and peer end have correct and matching IKE profiles. |
|
IPsec negotiation result |
If the IPsec negotiation is operating correctly, this item displays IPsec negotiation succeeded or IPsec tunnel already exists. Any other information indicates that the IPsec negotiation is faulty. Follow the instructions to find the cause. For example, verify that the local end and peer end have correct and matching IPsec policy settings. |
Restrictions and guidelines
· In data flow mode, specify the source and destination IP addresses of the data flow before IPsec encapsulation in the Source IP address and Destination IP address fields.
· In data flow and interface modes, IPsec diagnosis works only if the device can find an IPsec policy to initiate an IPsec connection. IPsec policies configured by using IPsec policy templates cannot initiate IPsec connections, so they are ignored during IPsec diagnosis in data flow or interface mode.
· An IPsec diagnosis in data flow or interface mode can last up to 20 minutes. After the timer expires, the diagnosis stops and the completed diagnosis items are displayed.
· An IPsec diagnosis in IP address mode starts when it detects an IPsec connection initiated by the peer and stops when it finishes diagnosis for the IPsec connection.
· Only one IPsec diagnosis can run at the same time.
· IPsec diagnosis is available only on the IPv4 network.
· The device supports IPsec policy-based IPsec diagnosis but does not support IPsec profile-based IPsec diagnosis.
· The VRF is the VPN instance of the interface where the IPsec policy is applied.
