Juniper ipsec tunnel tracing

There are several articles on configuring IPSec on Juniper SRX: one , two , three . But I would like to step aside, and talk about the case when something went wrong.

JunOS provides quite convenient means of monitoring and tracing tunnels. Some of them are described in the official wiki, some are on the Internet, you learn something from communication with JTAC.

What turned out to be useful for me:
The description of VPN errors is a rather detailed table when analyzing logs. The same information can be viewed here (conveniently grouped by type of VPN-tunnels).
')
Well, the very pulp under the cut.

Teams

Debag of the first phase

show security ike security-associations #   sa   .      node0: -------------------------------------------------------------------------- Index State Initiator cookie Responder cookie Mode Remote Address 1990848 UP 0a8d1bb614de2965 47ade7df5b93f10f Main 1.2.3.4 #    : show security ike security-association index <#> detail show security ike security-association <peer-ip> #    show security ike stats sa 

Debag of the second phase

 # SA    show security ipsec security-associations | no-more node0: -------------------------------------------------------------------------- Total active tunnels: 231 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131375 ESP:3des/sha1 48707aa6 621/ 4608000 - root 500 1.2.3.4 >131375 ESP:3des/sha1 a2152402 621/ 4608000 - root 500 1.2.3.4 #         detail show security ipsec next-hop-tunnels #    route-based VPN -    #    ,      # ,   RB VPN    ACL   vpn- #   static-route   vpn 172.27.10.14 st0.10 client-1-14 Static 1.2.3.4 172.27.10.15 st0.10 client-1-15 Static show security ipsec inactive-tunnels #    -       node0: -------------------------------------------------------------------------- Total inactive tunnels: 145 Total inactive tunnels with establish immediately: 145 ID Port Nego# Fail# Flag Gateway Tunnel Down Reason 131195 500 0 0 600a29 2.3.4.5 SA not initiated 

Collecting logs and traces

Enter configuration mode and activate the necessary traceoptions. Do not forget to turn off then, in order not to load the router with unnecessary tasks.

 #  kmd-logs #       #     set system syslog file kmd-logs daemon info set system syslog file kmd-logs match KMD #  traceoptions. #         edit security ike traceoptions set file ike-debug files 2 size 10240 world-readable set flag all set level 15 top edit security ipsec traceoptions set file ipsec-debug files 2 size 10240 world-readable set flag all top edit security flow traceoptions set file vpn-debug set file size 5m set file world-readable set flag basic-datapath set flag packet-drops set packet-filter filter1 protocol esp set packet-filter filter1 source-prefix <local peer>/32 set packet-filter filter1 destination-prefix <remote peer>/32 set packet-filter filter2 protocol esp set packet-filter filter2 source-prefix <local peer>/32 set packet-filter filter2 destination-prefix <remote peer>/32 

Apply changes and exit configuration mode. Now we start debag

 > request security ike debug-enable level 10 local <local-ip> remote <peer-ip> 

Ping a host on the client's network so that the tunnel goes up, and look at the logs:

 show log ike-debug | no-more 

I hope this information will be useful for someone;) Or maybe you have something to share from your own experience? Write in the comments!