Tracing IPsec Operations

Trace operations track IPsec events and record them in a log file in the /var/log directory. By default, this file is named /var/log/kmd.

To trace IPsec operations, include the traceoptions statement at the [edit services ipsec-vpn] hierarchy level:

[edit services ipsec-vpn]traceoptions {file <filename> <files number> <match regular-expression> <size bytes> <world-readable | no-world-readable>;flag flag;level level;no-remote-trace;}

You can specify the following IPsec tracing flags:

all—Trace everything.
certificates—Trace certificates events.
database—Trace security associations database events.
general—Trace general events.
ike—Trace IKE module processing.
parse—Trace configuration processing.
policy-manager—Trace policy manager processing.
routing-socket—Trace routing socket messages.
snmp—Trace SNMP operations.
timer—Trace internal timer events.

The level statement sets the key management process (kmd) tracing level. The following values are supported:

all—Match all levels.
error—Match error conditions.
info–Match informational messages.
notice—Match conditions that should be handled specially.
verbose—Match verbose messages.
warning—Match warning messages.

Disabling IPsec Tunnel Endpoint in Traceroute

If you include the no-ipsec-tunnel-in-traceroute statement at the [edit services ipsec-vpn] hierarchy level, the IPsec tunnel is not treated as a next hop and TTL is not decremented. Also, if the TTL reaches zero, an ICMP time exceeded message is not generated.

[edit services ipsec-vpn]no-ipsec-tunnel-in-traceroute;

Note: This functionality is also provided by the passive-mode-tunneling statement described in Configuring IPsec Service Sets. You can use the no-ipsec-tunnel-in-traceroute statement in specific scenarios in which the IPsec tunnel should not be treated as a next hop and passive mode is not desired.