When building a cloud with VMware vCloud Director or just using NSX-T, sooner or later you will need to build IPsec Tunnels from within your environment to wherever.
As the IKE and IPsec VPN process can be quite complex, there is often a chance that something may be misconfigured. Unfortunately, the NSX-T UI mostly outputs generic error codes, which could mean a load of things malfunctioning.
To get a better understanding of the negotiation process, the NSX Edge CLI gives you the option to enable deep logging for specific sessions.
First you will have to connect via SSH to the Edge that’s currently hosting the Service Router of the session you’ll want to troubleshoot. The easiest was is to search for the session in the GUI, then going to the corresponding Tier-1 Gateway – by clicking on the HA mode of the Gateway you will get the currently active Edges of the Gateway.
Connect as the NSXCLI-User (admin is default) and check the ipsecvpn-Service with:
get service ipsecvpn
It should be running without any errors. You can further investigate the sessions with these commands:
get ipsecvpn sessions [down]
get ipsecvpn tunnel stats
To view the IKE-Negotiation Log, you will have to enable the inspection for specific sessions:
set service ike debug-tunnel local-ip [local-ip] remote-ip [remote-ip] debug-level [off,fail,highok,highstart,uncommon,midok,midstart,lowok,lowstart] [follow]
By appending the “follow”-Key the log output will be directly displayed in the console until you end it by pressing CTRL+C. If you don’t include the “follow” -Key the output is directed to syslog, which you can access by:
get log-file syslog [ | find VPN]
You can append the pipe and “find”-Key to filter the entries of the VPN service. You can have up to 4 sessions logging to syslog. To stop, just use the set-command with debug-level “off”.