Information about IPsec tunnels in logs

The Firewall logs contain information about IPsec tunnel negotiations.

Log messages related to IPsec tunnel negotiations contain the value IPsec in the Facility field. You can use this value to filter logs for viewing IPsec messages. The IKE Cookie and IPsec SPI fields contain identifiers related to each particular VPN instance, which helps further in reading and filtering the logs. The Situation and Information Message fields include the actual VPN-related events. If possible, examine logs from the devices at both ends of the IPsec tunnel for more information.

Tip: Right-click a VPN log entry and select Search Related Events to see logs related to the same IPsec VPN negotiation.

You can collect more detailed information by enabling the IPsec diagnostics. For VPN clients, also enable authentication and DHCP relay diagnostics.

Log messages generated by Access rules might also contain relevant information. These logs contain information about the connections that the gateway processes, and whether policy-based VPN traffic is directed correctly to VPN tunnels by the policy. Log messages generated by Access rules are not included if you are filtering the logs to only show IPsec logs.

A normal IPsec tunnel negotiation proceeds as follows:
  1. The negotiations start when a connection matches a rule in the Firewall Policy that triggers the VPN negotiation (or a similar mechanism at the other end).
  2. The gateway at the source end of the connection or the VPN client (the initiator, I) contacts the gateway at the other end (the responder, R). The gateways establish trust and exchange keys in the IKE Phase 1 negotiations.
  3. If Phase 1 negotiation succeeds, IKE Phase 2 negotiations begin. At this stage, the gateways agree on further settings used for handling the connection.
  4. If Phase 2 negotiations succeed, the VPN tunnel is ready and ESP or AH packets (the actual traffic) can be seen in the logs. New connections that are opened through the VPN are logged using a VPN-specific log message “New Connection Through VPN.”