Debugging IPsec in Sophos Firewall (SFOS)

  • Article ID: 117426
  • Updated: 04 Nov 2015

This article explains the new Ipsec debug options intruduced in UTM v9

Known to apply to the following Sophos product(s) and version(s)
Sophos UTM v9

What To Do

 IPsec Debugging

With the introduction of SFOS, the following are the information required when debugging IPsec (Site-to-Site or Remote Access):

1.        To enable or disable SFOS IPsec log debugging

Service name


Service Command

service ipsec: start/stop/restart

Log file



2.        Generate packet capture using TCPDUMP

Non-NAT Connection

#tcpdump port 500 or proto 50

NAT Connection

#tcpdump port 500 or proto 4500


3.        To see all ESP Conntrack in the system, use the command: 

         # Conntrack –L | grep unk


Note:  Log viewer logs are helpful to check and verify IKE (Internet Key Exchange)-related issues

 IPSec Kernel Module

Traffic going to WAN segment which matches with netkey xfrm policy is submitted to IPsec0 interface and is further handled by NetKey.

 In this diagram, it explains how IPsec Kernel Module is used by SFOS. 

SF1:  SFOS host 1

SF2:  SFOS host 2

SA:  Security Association

 # ip xfrm policy ( ON SF1)

src dst  à Traffic Policy from to

      dir out priority 2408 à Dir out means traffic going out from Local zone to

      remote network

     tmpl src dst

     proto esp reqid 16429 mode tunnel  à Reqid will be helpful to find out SA


src dst

     dir fwd priority 2408  à Forward Policy rule to send remote network traffic to Local zone

     tmpl src dst

     proto esp reqid 16429 mode tunnel


src dst

     dir in priority 2408 à Direction IN means remote network traffic destine to local

     interface   of SF ( system traffic)

     tmpl src dst

     proto esp reqid 16429 mode tunnel


# ip xfrm state ( On SF 1)

src dst

        proto esp spi 0x787a7230 reqid 16429 mode tunnel

        replay-window 32

        auth-trunc hmac(md5) 0x2a2fd8467e94c29a599872e5ad8016b4 96

        enc cbc(aes) 0x1996a3b1112815b51d8f93ee73119c8e

        sel src dst

src dst

        proto esp spi 0xa329f3b9 reqid 16429 mode tunnel

        replay-window 32

        auth-trunc hmac(md5) 0xa8ca6ea5ea4866d4491e33500feb3699 96

        enc cbc(aes) 0xdb8a9ee174ea5580bb6b9cd96b124c2f

        sel src dst


# tcpdump -n proto 50 @SF1

tcpdump: Starting Packet Dump

11:46:41.319018 PortB, IN: IP > ESP(spi=0xa329f3b9,seq=0x138), length 100

11:46:41.319710 PortB, OUT: IP > ESP(spi=0x787a7230,seq=0x138), length 100


·         If one want to troubleshoot plain text packet is reaching to xfrm or not, one can disable xfrm on ipsec0 interface which will drop all vpn traffic but you can see packets going out from ipsec0 interface.

·         To disable xfrm : echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm

·         To enable xfrm : echo 0 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm

·        To check  error packet drop by netkey please use command cat /proc/net/xfrm_stat

·         SF originated traffic is not send to VPN until static route is define.  Use CLI to add static route on the IPSec VPN tunnel 



If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent