NSX Edge – Troubleshoot IPSec VPN issue with CLI

To troubleshoot any VPN issues, you should have knowledge of how to configure a VPN service so that you can verify whether is it related to misconfiguration or information not match.

There are few useful command can be used to troubleshoot IPSec VPN issue. To run those troubleshooting, first thing u must able enable SSH in your NSX Edge and access it via SSH.

To view full list of commands for ipsec, run command:

show service ipsec ? 

To check VPN Service status

show service ipsec

Below table show that list of failure message from ipsec and the root cause:-

CausesFailure message
IKEv1 peer is not reachable.Version-IKEv1 Retransmitting IKE Message as no response from Peer.
Mismatch in IKEv1 Phase 1 proposal.Version-IKEv1 No Proposal Chosen. Check configured Encryption/Authentication/DH/IKE-Version.
Mismatch in any one of the following:
– IKEv1 PSK
– IKEv1 ID
– IKEv1 certificate
Version-IKEv1 Authentication Failed. Check the configured secret or local/peer ID configuration.
Mismatch in IKEv1 Phase 2 proposal.IPSec-SA Proposals or Traffic Selectors did not match.
IKEv2 peer is not reachable.Version-IKEv2 Retransmitting IKE Message as no response from Peer.
Mismatch in IKEv2 IKE SA proposal.Version-IKEv2 No Proposal Chosen. Check configured Encrypt/Authentication/DH/IKEversion.
Mismatch in IKEv2 IPSec SA proposal.IPSec-SA Proposals or Traffic Selectors did not match.
Mismatch in IKEv2 IPSec SA traffic selectors.Traffic selectors did not match. Check left/right subnet configuration.
Mismatch in any one of the following:
– IKEv2 PSK
– IKEv2 ID
– IKEv2 certificate
Version-IKEv2 Authentication Failed. Check the configured secret or local/peer ID configuration.
Source: docs.vmware.com

To show the IPSec configuration

show configuration ipsec

To show the status of ipsec security policy

show service ipsec sp

Leave a Reply

Your email address will not be published. Required fields are marked *