Set the debug on just your peer
debug crypto condition peer x.x.x.x
Ikev1 / ipsec
debug crypto ikev1 255
debug crypto ipsec 255
ikev2
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127Debug crypto ikev2 255
Debug crypto ikev2 platform 255
Debug crypto ikev2 protocol 255
If you need more detail you can enable more
Debug crypto ipsec 255
Debug crypto ike-common 10
Debug crypto engine 255 (causes too much output)
logging console debugging
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113574-tg-asa-ipsec-ike-debugs-main-00.html#anc6
IKEv2 Notes
IKEv1 had clear phase 1 (ikev1) and phase 2 (ipsec).
IKEv2 does it all in one phase but broken into 3 sections:
IKE_SA_INIT
IKE_AUTH
CHILD_SA
No comments:
Post a Comment