Analysis releate to IPSEC VPN

grep 'IKEv2 packet' syslog.*

 

Down Reason	Meaning	Remedy
Session disabled	Admin has disabled the session	Admin has disabled the session, enable the same
IPSec service not active	Status of VPN service used for the session is not active.	Check for IPsec service admin status.
Authentication Failure	Edge failed to authenticate the peer, during IKE SA setup.	Check for mismatch in IDs/auth credentials (pre shared key value/certificate). For remote peers behind NAT, may want to validate: remote peer local id = NSX-T → VPN → Advanced Tunnel Parameters → Remote Private IP
No proposal chosen	Peer responded with "No proposal chosen" failure message in response to request sent from Edge	Check if crypto algorithms configured under IKE profile associated to the Session matches the configuration from peer.
	Algorithms in phase 1/2 are not consistent in both local as well as peer configuration.
Negotiation not started	IKE negotiation was not started for this session.	Check if the Session is configured as Responder or On-Demand. If session is configured as Responder, IKE negotiation needs to be started from peer side only. If session is configured as On-Demand, datapath shall trigger SA negotiation on receipt of packets matching the IPSec Policy (and on the condition that there is no SA). Initiate ping for traffic matching Outbound rules of IPsec corresponding ti the session, to see it negotiation starts.
TS unacceptable	IPSec SA setup has failed due to mismatch in policy rule definition, between the gateways for tunnel configuration.	Check local and remote network configuration on both gateways.
Peer not reachable	Authentication , DPD timeout	Check network connectivity to the peer.
Configuration Failed	Configuration of session failed within IKED.	Check the configuration failed reason - can be seen using edge-appctl ike.ctl session/get. The issue is most likely an unsupported configuration sent to IKED whereas MP allows the same. Check with IPSec team - nsxt-ipsec-tech@vmware.com
Peer sent delete	Peer has deleted IKESA and sent message to Edge to Delete SA.	Check why did the peer sent Delete. In most such cases, Edge would not be configured to initiate tunnel and therefore Edge is waiting for tunnel to be initiated from peer side.
SR state is not Active	IKED identifies that SR is not in ACTIVE state. Sessions are not realized unless SR is in Active state.	If HA status for SR is not Active, fix the problem in HA. If as per HA SR is in Active state but IKED still reports this down reason, it is most likely a bug in IKED.
Peer not responding	No response received from peer for requests sent to establish IKE SA. DPD timeout.	If peer is actually UP, this is most likely an issue with routing (either on Edge or on network connected to Uplink).Ping from Tier-0 SR VRF context to the peer gateway IP to check connectivity.If not working, check for route entry to reach peer gateway (either using default route from uplink interface OR using peer gateway network prefix reachable over uplink) If ping is working, IKE packets may be reaching the peer but the peer may not be responding due to misconfiguration of ipsec. Check for VPN configuration at the peer gateway. Also check for any firewall/NAT between Edge and Peer Gateway - this may require changes in configuration at Edge.
IKE SA Down	IKE Session corresponding to this Policy rule is Down. Hence the Tunnel is down.	Troubleshoot reason for Session being in Down state.
No Proposal chosen	Crypto algorithms configured for IPSec SA do not match that in peer	Check for configuration of algorithms in tunnel profile associated to session, with the corresponding configuration at the peer
Selector Mismatch	IPSec SA negotiation failed because of mismatch in Policy rules configured at Edge and corresponding configuration at Peer Gateway.	Check for matching subnets in both the Gateways.
Negotiation not started	IPSec SA negotiation was not started for this session.	Either IKESA is not established OR there is no traffic matching the IPSec SP.
Peer sent delete	Peer has deleted IPSec SA and sent message to Edge to Delete SA.	Check why did the peer sent Delete. In most such cases, Edge would not be configured to initiate tunnel and therefore Edge is waiting for tunnel to be initiated from peer side.
Phase-1 failed	Phase 1 negotiation as failed.
No IKE peers	All IKE peers are dead, No peer left to try the connection	Check peer connectivity, whether it is up.

 

 

 

## NAT-T가 설정되어 있는 경우 Port 4500로 Nego를 시도한다. 하지만 주기적으로 시도 후 restransmisstion 메시지가 확인된다면, 

Peer VPN 장비에는 NAT-T 설정을 하지 않은것으로 판단, 또한 IP 자체가 공인IP로 판단되기/때문에 NAT-T는 불필요한 설정으로 판단.

 

2023-11-27T11:27:15.570Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 ->  193.2:4500): len=   84, mID=0, HDR(47d0bb7c1d8ec1e6_i, e1824372bf49b2fb_r)

2023-11-27T11:27:15.586Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:500 -> x.x.x.2:500): len=   80, mID=2, HDR(6b7e8f84ec5307da_i, 8fe501b6380e4040_r)

2023-11-27T11:27:15.589Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.5:500 <- x.x.x.2:500): len=   48, mID=2, HDR(6b7e8f84ec5307da_i, 8fe501b6380e4040_r)

2023-11-27T11:27:16.070Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=1)

2023-11-27T11:27:17.070Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=2)

2023-11-27T11:27:18.062Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:500 -> x.x.x.211:500): len=   80, mID=991, HDR(a009cafc3e55ff38_i, b3df627a7dfe360e_r)

2023-11-27T11:27:18.062Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:500 -> x.x.x.211:500): len=   80, mID=991, HDR(90a06bfc93bdc2bd_i, 7cb760ed5aca75a3_r)

2023-11-27T11:27:18.068Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.5:500 <- x.x.x.211:500): len=   48, mID=991, HDR(a009cafc3e55ff38_i, b3df627a7dfe360e_r)

2023-11-27T11:27:18.069Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.5:500 <- x.x.x.211:500): len=   48, mID=991, HDR(90a06bfc93bdc2bd_i, 7cb760ed5aca75a3_r)

2023-11-27T11:27:18.566Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:500 -> 3.37.177.164:500): mID=0 (retransmit count=6)

2023-11-27T11:27:19.070Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=3)

2023-11-27T11:27:20.796Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.11:4500 <-x.x.x.31:4500): len=   52, mID=1154, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:27:20.796Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:4500 ->x.x.x.31:4500): len=   84, mID=1154, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:27:23.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=4)

2023-11-27T11:27:24.566Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:500 -> 3.37.177.164:500): mID=0 (retransmit count=7)

2023-11-27T11:27:29.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=5)

2023-11-27T11:27:30.566Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:500 -> 3.37.177.164:500): mID=0 (retransmit count=8)

2023-11-27T11:27:30.796Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.11:4500 <-x.x.x.31:4500): len=   52, mID=1155, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:26:10.933Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-sync-handler" level="DBG"] IKE SA flags - done: 1, unusable: 0, failed: 0, rekeyed: 0, error: 0

2023-11-27T11:27:35.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=6)

2023-11-27T11:27:36.566Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:500 -> 3.37.177.164:500): mID=0 (retransmit count=9)

2023-11-27T11:27:40.797Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.11:4500 <-x.x.x.31:4500): len=   52, mID=1156, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:27:40.797Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:4500 ->x.x.x.31:4500): len=   84, mID=1156, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:27:41.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=7)

2023-11-27T11:27:42.567Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:500 -> 3.37.177.164:500): mID=0 (retransmit count=10)

2023-11-27T11:27:47.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=8)

2023-11-27T11:27:50.797Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.11:4500 <-x.x.x.31:4500): len=   52, mID=1157, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:27:50.797Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:4500 ->x.x.x.31:4500): len=   84, mID=1157, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:27:53.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=9)

2023-11-27T11:27:59.071Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:4500 -> x.x.x.2:4500): mID=0 (retransmit count=10)

2023-11-27T11:28:00.798Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.11:4500 <-x.x.x.31:4500): len=   52, mID=1158, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:28:00.798Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:4500 ->x.x.x.31:4500): len=   84, mID=1158, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:28:10.798Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.11:4500 <-x.x.x.31:4500): len=   52, mID=1159, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:28:10.798Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.11:4500 ->x.x.x.31:4500): len=   84, mID=1159, HDR(3a231abc8c0c4ae4_i, e56f394e512be860_r)

2023-11-27T11:28:15.586Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(x.x.x.5:500 -> x.x.x.2:500): len=   80, mID=3, HDR(6b7e8f84ec5307da_i, 8fe501b6380e4040_r)

2023-11-27T11:28:15.589Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(x.x.x.5:500 <- x.x.x.2:500): len=   48, mID=3, HDR(6b7e8f84ec5307da_i, 8fe501b6380e4040_r)


## From 211.221.193.2:500부터 DEL 받고, IPSEC DOWN, Peer로 부터 IKE SA DEL 메시지를 전달 받음. 

요청에 의해 IKE SA가 DEL 되었기 때문에, IPSEC VPN STATUS가 DOWN 됨.  
IKE SA와 IPSEC SA는 부모 자식관계로 이해하면 편하다.  IKE SA는 부모이며, 하나이상의 IPSEC SA를 자식으로 둘수 있다. 

IPSEC SA가 사라지면 자식이 없는 IKE SA로 동작하게 되어  VPN이 down 됨.

2023-11-27T11:26:15.266Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="DBG"] RX REQ-0 HDR,SK{-}

2023-11-27T11:26:15.266Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(X.x.x.5:500 <- X.x.x.2:500): len=   56, mID=0, HDR(0154258445d0d0ec_i, afdce468d4a081a4_r), DEL

2023-11-27T11:26:15.266Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="DBG"] decoding packet

2023-11-27T11:26:15.266Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="DBG"] responder INFO started

2023-11-27T11:26:15.266Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="DBG"] TX RSP-0 HDR,SK{}

2023-11-27T11:26:15.267Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(X.x.x.5:500 -> X.x.x.2:500): len=   80, mID=0, HDR(0154258445d0d0ec_i, afdce468d4a081a4_r)

2023-11-27T11:26:15.267Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="DBG"] responder INFO completed

2023-11-27T11:26:15.267Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IPsec SA EVENT:

2023-11-27T11:26:15.267Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"]  IPsec SA ESP Inbound SPI 51f4ca05, Outbound SPI 0580493a: destroyed

 

2023-11-27T11:26:15.267Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : tunnel: 8195, rule: 523723542, local_ip: 123.37.16.5, peer_ip: 211.221.193.2 inbound_spi: 0x51f4ca05, outbound_spi: 0x580493a status: IPSEC_STATUS_DOWN, error:

 

 

 

##

2023-11-27T11:26:15.266Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(X.x.x:500 <- X.x.x.2:500): len=   56, mID=0, HDR(0154258445d0d0ec_i, afdce468d4a081a4_r), DEL
2023-11-27T11:26:45.267Z be01-eg389-swn NSX 7757 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-event" level="INFO"] Request for IKE session status update for session: 8195, local_ip: X.x.x.5, peer_ip: X.x.x.2 status: IKE_STATUS_DOWN, error: Peer sent delete

위 로그는 peer side에서 IKESA를 최신 상태로 유지하기위해 peer side에서 해당 VPN으로 요청할때 발생하는 로그이며, 해당 로그와 함께 이전 IKE SA에 대한 DEL 메세지를 전달합니다. 서비스 다운과 관련된 로그는 아닌것으로 확인됩니다.