The Ike -Snoop Command - D-Link NetDefendOS User Manual

9.8.4. The ike -snoop Command

VPN Tunnel Negotiation
When setting up IPsec tunnels, problems can arise because the initial negotiation fails when the
devices at either end of a VPN tunnel try but fail to agree on which protocols and encryption
methods will be used. The ike -snoop console command with the -verbose option is a tool that
can be used to identify the source of such problems by showing the details of this negotiation.
Using ike -snoop
The ike -snoop command can be entered via a CLI console connected via a network connection
or directly via the local console.
To begin monitoring the full command is:
gw-world:/> ike -snoop
This means that the output will be sent to the console for every VPN tunnel IKE negotiation. The
output can be overwhelming so to limit the output to a single IP address, for example the IP
address 10.1.1.10, the command would be:
gw-world:/> ike -snoop 10.1.1.10
the IPv4 address used is the IP address of the VPN tunnel's remote endpoint (either the IP of the
remote endpoint or the client IP). To turn off monitoring, the command is:
gw-world:/> ike -snoop -off
By default, ike -snoop always creates the most verbose output. It is possible to reduce this output
volume by using the -brief option. However, this may not provide sufficient detail to identify
problems. All the ike command options can be found in the separate CLI Reference Guide.
The output from ike -snoop can be troublesome to interpret by an administrator seeing it for the
first time. Presented below, is some typical ike -snoop output with annotations to explain it. The
tunnel negotiation considered is based on pre-shared Keys. A negotiation based on certificates is
not discussed here but the principles are similar.
The Client and the Server
The two parties involved in the tunnel negotiation are referred to in this section as the client and
server. In this context, the word "client" is used to refer to the device which is the initiator of the
negotiation and the server refers to the device which is the responder.
Step 1. Client Initiates Exchange by Sending a Supported Algorithm List
The verbose option output initially shows the proposed list of algorithms that the client first
gw-world:/> ike -tunnels -num=all
In these circumstances, using the option with a small number, for example -num=10, is
recommended.
764
Chapter 9: VPN