FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Article Id 198232
Description
The IKE debug (-1 or 128) provides the ASCII dump of clear text, encrypted and decrypted IKEv1 packets. This dump provides the IKEv1 payload, it can be converted to PCAP using the text2pcap utility.

This can be really useful to troubleshoot IPsec VPN negotiation failure.    

Solution
Here is an example of IKEv1 phase 1 negotiation “diagnose debug application ike -1”:

2016-05-26 07:49:06 ike 0:p1: auto-negotiate connection
2016-05-26 07:49:06 ike 0:p1: created connection: 0xb6fe810 6 10.5.18.8->10.5.17.111:500.
2016-05-26 07:49:06 ike 0:p1:14: initiator: main mode is sending 1st message...
2016-05-26 07:49:06 ike 0:p1:14: cookie 12f2cbed073d6dba/0000000000000000
2016-05-26 07:49:06 ike 0:p1:14: out 12F2CBED073D6DBA00000000000000000110020000000000000001
280D00005800000001
000000010000004C010100020300002001010000800B0001800C708080010005800300018
0020002800400050000002402010000800B0001800C708080010007800E00808003000180020002800400050D00
00144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464
335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83
821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570
1000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000148299031757A36082C6A621DE0005013E
2016-05-26 07:49:06 ike 0:p1:14: sent IKE msg (ident_i1send): 10.5.18.8:500->10.5.17.111:500, len=296, id=12f2cbed073d6dba/0000000000000000

2016-05-26 07:49:06 ike 0: comes 10.5.17.111:500->10.5.18.8:500,ifindex=6....
2016-05-26 07:49:06 ike 0: IKEv1 exchange=Identity Protection id=12f2cbed073d6dba/21c98f93c506f466 len=160
2016-05-26 07:49:06 ike 0: in 12F2CBED073D6DBA21C98F93C506F4660110020000000000000000A00D000
034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002
800400050D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0
000148299031757A36082C6A621DE0005013E000000144048B7D56EBCE88525E7DE7F00D6C2D3

2016-05-26 07:49:06 ike 0:p1:14: initiator: main mode get 1st response...
2016-05-26 07:49:06 ike 0:p1:14: VID RFC 3947 4A131C81070358455C5728F20E95452F
2016-05-26 07:49:06 ike 0:p1:14: VID DPD AFCAD71368A1F1C96B8696FC77570100
2016-05-26 07:49:06 ike 0:p1:14: DPD negotiated
2016-05-26 07:49:06 ike 0:p1:14: VID FORTIGATE 8299031757A36082C6A621DE0005013E
2016-05-26 07:49:06 ike 0:p1:14: peer is FortiGate/FortiOS (v5 b318)
2016-05-26 07:49:06 ike 0:p1:14: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
2016-05-26 07:49:06 ike 0:p1:14: selected NAT-T version: RFC 3947
2016-05-26 07:49:06 ike 0:p1:14: negotiation result
2016-05-26 07:49:06 ike 0:p1:14: proposal id = 1:
2016-05-26 07:49:06 ike 0:p1:14:   protocol id = ISAKMP:
2016-05-26 07:49:06 ike 0:p1:14:      trans_id = KEY_IKE.
2016-05-26 07:49:06 ike 0:p1:14:      encapsulation = IKE/none
2016-05-26 07:49:06 ike 0:p1:14:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
2016-05-26 07:49:06 ike 0:p1:14:         type=OAKLEY_HASH_ALG, val=SHA.
2016-05-26 07:49:06 ike 0:p1:14:         type=AUTH_METHOD, val=PRESHARED_KEY.
2016-05-26 07:49:06 ike 0:p1:14:         type=OAKLEY_GROUP, val=1536.
2016-05-26 07:49:06 ike 0:p1:14: ISAKMP SA lifetime=28800
2016-05-26 07:49:06 ike 0:p1:14: out 12F2CBED073D6DBA21C98F93C506F4660410020000000000000001
240A0000C4FFC179E15EDE3ADAE7BF129B1AF86E212FDD7B6166C5835976EC1401B42C004B0CECFC249609F63E9
0EB5BC7927FFC611BB235055CFBC9E173BA542C0669C56C5C6DD0FD280B1FE02938813807C0F128B07FC42EFC52
105B2BF80C23A25C6E841CA40D529DB48A94DED92BBC69C21B83FB42B41104A602CE051EF12DF42CB0D056EDBF8
ACEBE6549701A4D5947F94F5C03EFCF6A4F30E02090778D7759660D5275030B8D25D75E627E024B6B9694E4840E
176E5A459EA25B5BF7877D500D4BB814000014578D69948292042CCD14BC1069D13F691400001891229800050E1
BE11BB5078C7F55CF2B4D95D797000000188268BC627325815CA3480D7657F026CA36F69E12

2016-05-26 07:49:06 ike 0:p1:14: sent IKE msg (ident_i2send): 10.5.18.8:500->10.5.17.111:500, len=292, id=12f2cbed073d6dba/21c98f93c506f466
2016-05-26 07:49:06 ike 0: comes 10.5.17.111:500->10.5.18.8:500,ifindex=6....
2016-05-26 07:49:06 ike 0: IKEv1 exchange=Identity Protection id=12f2cbed073d6dba/21c98f93c506f466 len=292
2016-05-26 07:49:06 ike 0: in 12F2CBED073D6DBA21C98F93C506F4660410020000000000000001240A000
0C4AC4DE650546B3663C6C00DC05081E8A980BADA2AF8402DABA3E2497401FEC08B03B3C99462129BAFE0BEF266
630942C20D9363292ED788EE4572612F1728190777282F37E4619FA48CECB01929A0BFD5611D223466ACD518A17
83E7F0F3F848B7B10F9754E3927791E1569D71F5CF68633BA614518B9FE6C75CC7CAE962AD686B527E7DAD02595
EEE423D843D2E18BB121F90E3A169C8A3AFD2FFD456DC828A583F29C87BA37AA482BA4D243011573D2604E18552
509BA11913A84A8C0DC5282140000142A5ADDACEEAF6FB4F47C4D64FE98D683140000188268BC627325815CA348
0D7657F026CA36F69E120000001891229800050E1BE11BB5078C7F55CF2B4D95D797

2016-05-26 07:49:06 ike 0:p1:14: initiator: main mode get 2nd response...
2016-05-26 07:49:06 ike 0:p1:14: NAT not detected
2016-05-26 07:49:06 ike 0:p1:14: ISAKMP SA 12f2cbed073d6dba/21c98f93c506f466 key24:DA2BDFAB6CF28845E9924B277DE05EF59D0EE73ED0B0E82C
2016-05-26 07:49:06 ike 0:p1:14: add INITIAL-CONTACT
2016-05-26 07:49:06 ike 0:p1:14: enc 12F2CBED073D6DBA21C98F93C506F4660510020100000000000000
5C0800000C010000000A0512080B000018BA91CE6A342BB947DC894CD646A6801A36AC267E0000001C000000010
110600212F2CBED073D6DBA21C98F93C506F466

2016-05-26 07:49:06 ike 0:p1:14: out 12F2CBED073D6DBA21C98F93C506F4660510020100000000000000
64E8C20200B9BB8BEDDD4D9A300F42FB87310C6A54CB854F197A3C4F34ABA36FD3819E782BFA4DEA4D8BA5C91F0
AE70ADB888D7C4BE1C1D734FEF7DDF81B788637CF70E8EB775EB909

2016-05-26 07:49:06 ike 0:p1:14: sent IKE msg (ident_i3send): 10.5.18.8:500->10.5.17.111:500, len=100, id=12f2cbed073d6dba/21c98f93c506f466
2016-05-26 07:49:06 ike 0: comes 10.5.17.111:500->10.5.18.8:500,ifindex=6....
2016-05-26 07:49:06 ike 0: IKEv1 exchange=Identity Protection id=12f2cbed073d6dba/21c98f93c506f466 len=68
2016-05-26 07:49:06 ike 0: in 12F2CBED073D6DBA21C98F93C506F466051002010000000000000044C8F7F
2E24C0DE65363AAE3B40B51F29F26CBB0D503525884C316736F1200414A09661F55E27483A1

2016-05-26 07:49:06 ike 0:p1:14: initiator: main mode get 3rd response...
2016-05-26 07:49:06 ike 0:p1:14: dec 12F2CBED073D6DBA21C98F93C506F4660510020100000000000000
440800000C010000000A05116F0000001800EC49A5FEC28AABF6277BCEE9030157B3FAED25A2279B03

2016-05-26 07:49:06 ike 0:p1:14: PSK authentication succeeded
2016-05-26 07:49:06 ike 0:p1:14: authentication OK
2016-05-26 07:49:06 ike 0:p1:14: established IKE SA 12f2cbed073d6dba/21c98f93c506f466
2016-05-26 07:49:06 ike 0:p1:14: HA send IKE SA 12f2cbed073d6dba/21c98f93c506f466
2016-05-26 07:49:06 ike 0:p1:14: HA send IKE SA add 12f2cbed073d6dba/21c98f93c506f466
2016-05-26 07:49:06 ike 0:p1: set oper up

We will focus on 3rd message of main mode negotiation received from the peer.

Note that the first and second messages of main mode negotiation are not encrypted (Encrypted flag is not set).  The third message is encrypted, but the debug provides the encrypted dump as well as the decrypted dump (highlighted in bold above). The dump is:

12F2CBED073D6DBA21C98F93C506F4660510020100000000000000440800000C010000000A05116F0000001800E
C49A5FEC28AABF6277BCEE9030157B3FAED25A2279B03

1) Add "space" every 2 characters:

echo "12F2CBED073D6DBA21C98F93C506F4660510020100000000000000440800000C010000000A05116F00000
01800EC49A5FEC28AABF6277BCEE9030157B3FAED25A2279B03" | sed 's/\(.\{2\}\)/\1 /g' > ike_mm_3rd


2) If encrypted flag is set (IKE main mode 3rd message or IKE quick mode) then replace 1 by 0:

12 F2 CB ED 07 3D 6D BA 21 C9 8F 93 C5 06 F4 66 05 10 02 00 00 00 00 00 00 00 00 44 08 00 00 0C 01 00 00 00 0A 05 11 6F 00 00 00 18 00 EC 49 A5 FE C2 8A AB F6 27 7B CE E9 03 01 57 B3 FA ED 25 A2 27 9B 03

3) Append offset 000000 at the beginnig of the hexadump:

000000 12 F2 CB ED 07 3D 6D BA 21 C9 8F 93 C5 06 F4 66 05 10 02 00 00 00 00 00 00 00 00 44 08 00 00 0C 01 00 00 00 0A 05 11 6F 00 00 00 18 00 EC 49 A5 FE C2 8A AB F6 27 7B CE E9 03 01 57 B3 FA ED 25 A2 27 9B 03

4) Convert to pcap using text2pcap, add UDP port 500 header so Wireshark will interpret it as IKE packet:
text2pcap -u500,500 ike_mm_3rd ike_mm_3rd.pcap

5) Open the PCAP with Wireshark.

Note that MAC and IP layers are built by text2pcap with generic information.

nvisentin_FD38751_tn_FD38751-1.jpg

Contributors