beautypg.com

Amer Networks E5Web GUI User Manual

Page 608

background image

The ikesnoop command can be entered via a CLI console or directly via the RS232 Console.

To begin monitoring the full command is:

Device:/> ikesnoop -on -verbose

This means that ikesnoop output will be sent to the console for every VPN tunnel IKE negotiation.
The output can be overwhelming so to limit the output to a single IP address, for example the IP
address 10.1.1.10, the command would be:

Device:/> ikesnoop -on 10.1.1.10 -verbose

the IPv4 address used is the IP address of the VPN tunnel's remote endpoint (either the IP of the
remote endpoint or the client IP). To turn off monitoring, the command is:

Device:/> ikesnoop -off

The output from verbose option can be troublesome to interpret by an administrator seeing it for
the first time. Presented below is some typical ikesnoop output with annotations to explain it.
The tunnel negotiation considered is based on Pre-shared Keys. A negotiation based on
certificates is not discussed here but the principles are similar.

Complete ikesnoop command options can be found in the CLI Reference Guide.

The Client and the Server

The two parties involved in the tunnel negotiation are referred to in this section as the client and
server. In this context, the word "client" is used to refer to the device which is the initiator of the
negotiation and the server refers to the device which is the responder.

Step 1. Client Initiates Exchange by Sending a Supported Algorithm List

The verbose option output initially shows the proposed list of algorithms that the client first
sends to the server. This list details the protocols and encryption methods it can support. The
purpose of the algorithm list is that the client is trying to find a matching set of
protocols/methods supported by the server. The server examines the list and attempts to find a
combination of the protocols/methods sent by the client which it can support. This matching
process is one of the key purposes of the IKE exchange.

IkeSnoop: Received IKE packet from 192.168.0.10:500 Exchange type :

Identity Protection (main mode) ISAKMP Version : 1.0

Flags

:

Cookies

: 0x6098238b67d97ea6 -> 0x00000000

Message ID

: 0x00000000

Packet length

: 324 bytes

# payloads

: 8

Payloads:

SA (Security Association)

Payload data length : 152 bytes
DOI : 1 (IPsec DOI)

Proposal 1/1

Protocol 1/1

Protocol ID

: ISAKMP

SPI Size

: 0

Transform 1/4

Transform ID

: IKE

Encryption algorithm

: Rijndael-cbc (aes)

Key length

: 128

Hash algorithm

: MD5

Authentication method

: Pre-Shared Key

Group description

: MODP 1024

Chapter 9: VPN

608

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: