check point vpn debugging guide

4/23/2014 Check Point VPN Debugging Guide

http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 1/6

Check Point FirewallPerlJuniperDebianSpyware RemovalApacheTroubleshootingWindows 7ContactServices Offered

Network Security Engineer Notes

Checkpoint, Cisco, Perl, Tufin, VMWare, Windows, Palo Alto, Juniper, Bluecoat

Check Point VPN Debugging Guide

in Check Point Firewall

A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant forCheck Point NGX firewall, but is not a complete VPN Debugging Guide.

DEBUGGING INSTRUCTIONS:

From the command line ( if cluster, active member )

vpn debug onvpn debug ikeonvpn tuselect the option to delete IPSEC+IKE SAs for a given peer (gw)Try the traffic to bring up the tunnelvpn debug ikeoffvpn debug off

Log Files are

$FWDIR/log/ike.elg$FWDIR/log/vpnd.elg

COMMON MESSAGES:

According to the Policy the Packet should not have been decrypted

The networks are not defined properly or have a typoMake sure VPN domains under gateway A are all local to gateway AMake sure VPN domains under gateway B are all local to gateway B

Wrong Remote Address

Failed to match proposal

sk21636 cisco side not configured for compression

No response from peer

check encryption domains.remote end needs a decrypt ruleremote firewall not setup for encryptionsomethign is blocking communication between VPN endpointsCheck UDP 500 and protocol 50



No Valid SA

both ends need the same definition for the encrytpion domain.sk19243 (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.deflikely phase2 settingscisco might say no proxy id allowedDisable NAT inside VPN communitySupport Key exchange for subnets is properly configuredMake sure firewall external interface is in public IP in general properties

No Proposal chosen

sk19243 usually cuased when a peer does not agree to VPN Domain or subnet maskmake sure that encryption and hash match as well in Phase 2 settings

Cannot Identify Peer (to encryption connection)

sk22102 rules refer to an object that is not part of the local firewalls encryption domainmay have overlapping encryption domains2 peers in the same domainsk18972 explains overlapping

Invalid ID

sk25893 Gateway: VPN-> VPN Advanced, Clear Support key exhcnage for subnets, Install policy

Authentication Failure

Payload Malformed

check pre shared secrets

RESPONDER-LIFETIME

As seen in ike debugs, make sure they match on both ends

Invalid Certificate

sk17106 Remote side peer object is incorrectly configuredsk23586 nat rules are neededsk18805 multiple issues, define a static nat, add a rule, check timesk25262 port 18264 has problemssk32648 port 18264 problems v2sk15037 make sure gateway can communicate with management

No Valid CRL

sk32721 CRL has expired, and module cant get a new valid CRL

AddNegotiation

FW-1 is handling more than 200 key negotiations at oncevSet maximum concurrent IKE connections

Could not get SAs from packet

FW MONITOR NOTES

packet comes back i I o O



packet will be ESP between o and O

BASIC STUFF TO CHECK IN THE CONFIGURATION:

Accept FW-1 Control Connections

VPN domains

setup in the topology of that itemusing topology is recommended, but you must definelooking for overlap, or missing networks.Check remote and local objects.

Encryption Domains

your firewall contains your networkstheir firewall contains their networks

Rule Setup

you need a rule for the originator.Reply rule is only required for 2 way tunnel

Preshared secret or certificate

Make sure times are accurate

Security rulebase

make sure there are rules to allow the traffic

Address Translation

be aware that this will effect the Phase 2 negotiationsmost people disable NAT in the community

Community Properties

Tunnel management, Phase1 Phase2 encrypt settings.

Link selection

Routing

make sure that the destination is routed across the interface that you want it to encrypt onyou need IP proto 50 and 51 fo IPSEC related trafficyou need port 500 UDP for IKEnetstat -rn and look for a single valid default route

Smartview Tracker Logs

purple = encryptedred = droppedgreen = no encryption

TRADITIONAL MODE NOTES

cant VPN Routeencryption happens when you hit explicit rulerules must be created



SIMPLIFIED MODE NOTES

VPN CommunitiesEncryption happens at rule 0rules are implied

CHECKLIST

Define encryption domains for each siteDefine firewall workstation objects for each siteConfigure the gateway objects for the correct encryption domainConfigure the extranet community with the appropriate gateways and objectsCreate the necessary encryption rules.Configure the encryption properties for each encryption rule.Install the security Policy

IKE PACKET MODE QUICK REFERENCE

- > outgoing< incoming

PHASE 1 (MAIN MODE)

1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)2 < agree on one encryption & hash, responder cookie (clear text)3 > random numbers sent to prove identity (if it fails here, reinstall)4 < random numbers sent to prove identity (if it fails here, reinstall)5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets

PHASE 2 (QUICK MODE)

1 > Use a subnet or a host ID, Encryption, hash, ID data2 < agrees with its own subnet or host ID and encryption and hash3 > completes IKE negotiation

GOOD SKS to KNOW

sk31221 The NGX Advanced Troubleshooting Reference Guide (ATRG)sk26362 Troubleshooting MTU related issuessk30509 Configuring VPN-1/FireWall-1sk31567 What is ike.elg?sk20277 Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01) appearssk31279 Files copied over encrypted tunnel displaying error: network path is too deepsk32648 Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) failssk19243 largest possible subnet even when the largest_possible_subnet option is set to falsesk31619 VPN tunnel is down troubleshootingsk19599 how to edit user.def for largest possible subnets & host only

{ 4 comments read them below or add one }

Aravind April 29, 2011 at 7:49 am

Hats off friend..I got a real confidence of doing Checkpoint exams after seeing your bloghurray its very

useful..thanks..this is Aravind from India..

Reply

James June 22, 2011 at 9:40 pm



The first exam was the hardest it was full of marketing buzz instead of practical knowledge. The restbecame easier and easier because they were more technical.

Reply

Prakash September 4, 2012 at 9:33 pm

very good article for Checkpoint VPN troubleshooting

Reply

James September 5, 2012 at 5:38 am

Thank you Prakash.

Reply

Leave a Comment

Name *

E-mail *

Website

Submit

Previous post: Perl Check Open Ports

Next post: Check Point SPLAT Commands

Search for: Search

Horses Mouth

Juniper SRX CLI Troubleshooting Config and SoftwareJuniper SRX CLI Troubleshooting RoutingHow to Use PAR with Strawberry PerlTest List of URLs for Fastest ResponseBash Script to SCP Old Log Files in Check Point

He Said, She Said

James on Check Point SPLAT Commandsabdulet on Find UTM-1 Check Point Appliance Model from CLIJayakumar Robert on Find UTM-1 Check Point Appliance Model from CLI



Greg on Check Point SPLAT Commandsevan on Find UTM-1 Check Point Appliance Model from CLIjlu on Find UTM-1 Check Point Appliance Model from CLI

Computer Security Links

BackTrackBlack HatBluecoatCisco SecurityCPUGJuniperLinux Security ChecklistPalo Alto NetworksSnortSolarWindsUS Cert

I agree

Occasionally the tree of Liberty must be watered with the blood of Patriots and Tyrants. - Thomas Jefferson

Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin

Everyone has a plan 'till they get punched in the mouth.- Mike Tyson

Disclaimer

I hope I offend some liberal somewhere, but not all of them, I mean we do need someone to supervise the hand out lines right? Also, I get paid for things on this site. As

in, I recommend products and they pay me for sending them business. I do have the integrity to review things honestly, but for some reason it's a law that you have to tellsomeone that you make money when you recommend something. I'm guessing some liberal somewhere decided that "the internet" needed govt assistance to function. I'm

guessing it was also a liberal that forced the law on hair dryers and toasters saying not to use them in the bathtub... just a guess though.

Copyright James Fraze, LLC 20012014| Privacy Policy | Sitemap | Contact

check point vpn debugging guide

Documents