check point vpn debugging guide
DESCRIPTION
Check Point VPN Debugging GuideTRANSCRIPT
-
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 1/6
Check Point FirewallPerlJuniperDebianSpyware RemovalApacheTroubleshootingWindows 7ContactServices Offered
Network Security Engineer Notes
Checkpoint, Cisco, Perl, Tufin, VMWare, Windows, Palo Alto, Juniper, Bluecoat
Check Point VPN Debugging Guide
in Check Point Firewall
A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant forCheck Point NGX firewall, but is not a complete VPN Debugging Guide.
DEBUGGING INSTRUCTIONS:
From the command line ( if cluster, active member )
vpn debug onvpn debug ikeonvpn tuselect the option to delete IPSEC+IKE SAs for a given peer (gw)Try the traffic to bring up the tunnelvpn debug ikeoffvpn debug off
Log Files are
$FWDIR/log/ike.elg$FWDIR/log/vpnd.elg
COMMON MESSAGES:
According to the Policy the Packet should not have been decrypted
The networks are not defined properly or have a typoMake sure VPN domains under gateway A are all local to gateway AMake sure VPN domains under gateway B are all local to gateway B
Wrong Remote Address
Failed to match proposal
sk21636 cisco side not configured for compression
No response from peer
check encryption domains.remote end needs a decrypt ruleremote firewall not setup for encryptionsomethign is blocking communication between VPN endpointsCheck UDP 500 and protocol 50
-
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 2/6
No Valid SA
both ends need the same definition for the encrytpion domain.sk19243 (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.deflikely phase2 settingscisco might say no proxy id allowedDisable NAT inside VPN communitySupport Key exchange for subnets is properly configuredMake sure firewall external interface is in public IP in general properties
No Proposal chosen
sk19243 usually cuased when a peer does not agree to VPN Domain or subnet maskmake sure that encryption and hash match as well in Phase 2 settings
Cannot Identify Peer (to encryption connection)
sk22102 rules refer to an object that is not part of the local firewalls encryption domainmay have overlapping encryption domains2 peers in the same domainsk18972 explains overlapping
Invalid ID
sk25893 Gateway: VPN-> VPN Advanced, Clear Support key exhcnage for subnets, Install policy
Authentication Failure
Payload Malformed
check pre shared secrets
RESPONDER-LIFETIME
As seen in ike debugs, make sure they match on both ends
Invalid Certificate
sk17106 Remote side peer object is incorrectly configuredsk23586 nat rules are neededsk18805 multiple issues, define a static nat, add a rule, check timesk25262 port 18264 has problemssk32648 port 18264 problems v2sk15037 make sure gateway can communicate with management
No Valid CRL
sk32721 CRL has expired, and module cant get a new valid CRL
AddNegotiation
FW-1 is handling more than 200 key negotiations at oncevSet maximum concurrent IKE connections
Could not get SAs from packet
FW MONITOR NOTES
packet comes back i I o O
-
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 3/6
packet will be ESP between o and O
BASIC STUFF TO CHECK IN THE CONFIGURATION:
Accept FW-1 Control Connections
VPN domains
setup in the topology of that itemusing topology is recommended, but you must definelooking for overlap, or missing networks.Check remote and local objects.
Encryption Domains
your firewall contains your networkstheir firewall contains their networks
Rule Setup
you need a rule for the originator.Reply rule is only required for 2 way tunnel
Preshared secret or certificate
Make sure times are accurate
Security rulebase
make sure there are rules to allow the traffic
Address Translation
be aware that this will effect the Phase 2 negotiationsmost people disable NAT in the community
Community Properties
Tunnel management, Phase1 Phase2 encrypt settings.
Link selection
Routing
make sure that the destination is routed across the interface that you want it to encrypt onyou need IP proto 50 and 51 fo IPSEC related trafficyou need port 500 UDP for IKEnetstat -rn and look for a single valid default route
Smartview Tracker Logs
purple = encryptedred = droppedgreen = no encryption
TRADITIONAL MODE NOTES
cant VPN Routeencryption happens when you hit explicit rulerules must be created
-
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 4/6
SIMPLIFIED MODE NOTES
VPN CommunitiesEncryption happens at rule 0rules are implied
CHECKLIST
Define encryption domains for each siteDefine firewall workstation objects for each siteConfigure the gateway objects for the correct encryption domainConfigure the extranet community with the appropriate gateways and objectsCreate the necessary encryption rules.Configure the encryption properties for each encryption rule.Install the security Policy
IKE PACKET MODE QUICK REFERENCE
- > outgoing< incoming
PHASE 1 (MAIN MODE)
1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)2 < agree on one encryption & hash, responder cookie (clear text)3 > random numbers sent to prove identity (if it fails here, reinstall)4 < random numbers sent to prove identity (if it fails here, reinstall)5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets
PHASE 2 (QUICK MODE)
1 > Use a subnet or a host ID, Encryption, hash, ID data2 < agrees with its own subnet or host ID and encryption and hash3 > completes IKE negotiation
GOOD SKS to KNOW
sk31221 The NGX Advanced Troubleshooting Reference Guide (ATRG)sk26362 Troubleshooting MTU related issuessk30509 Configuring VPN-1/FireWall-1sk31567 What is ike.elg?sk20277 Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01) appearssk31279 Files copied over encrypted tunnel displaying error: network path is too deepsk32648 Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) failssk19243 largest possible subnet even when the largest_possible_subnet option is set to falsesk31619 VPN tunnel is down troubleshootingsk19599 how to edit user.def for largest possible subnets & host only
{ 4 comments read them below or add one }
Aravind April 29, 2011 at 7:49 am
Hats off friend..I got a real confidence of doing Checkpoint exams after seeing your bloghurray its very
useful..thanks..this is Aravind from India..
Reply
James June 22, 2011 at 9:40 pm
-
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 5/6
The first exam was the hardest it was full of marketing buzz instead of practical knowledge. The restbecame easier and easier because they were more technical.
Reply
Prakash September 4, 2012 at 9:33 pm
very good article for Checkpoint VPN troubleshooting
Reply
James September 5, 2012 at 5:38 am
Thank you Prakash.
Reply
Leave a Comment
Name *
E-mail *
Website
Submit
Previous post: Perl Check Open Ports
Next post: Check Point SPLAT Commands
Search for: Search
Horses Mouth
Juniper SRX CLI Troubleshooting Config and SoftwareJuniper SRX CLI Troubleshooting RoutingHow to Use PAR with Strawberry PerlTest List of URLs for Fastest ResponseBash Script to SCP Old Log Files in Check Point
He Said, She Said
James on Check Point SPLAT Commandsabdulet on Find UTM-1 Check Point Appliance Model from CLIJayakumar Robert on Find UTM-1 Check Point Appliance Model from CLI
-
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 6/6
Greg on Check Point SPLAT Commandsevan on Find UTM-1 Check Point Appliance Model from CLIjlu on Find UTM-1 Check Point Appliance Model from CLI
Computer Security Links
BackTrackBlack HatBluecoatCisco SecurityCPUGJuniperLinux Security ChecklistPalo Alto NetworksSnortSolarWindsUS Cert
I agree
Occasionally the tree of Liberty must be watered with the blood of Patriots and Tyrants. - Thomas Jefferson
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin
Everyone has a plan 'till they get punched in the mouth.- Mike Tyson
Disclaimer
I hope I offend some liberal somewhere, but not all of them, I mean we do need someone to supervise the hand out lines right? Also, I get paid for things on this site. As
in, I recommend products and they pay me for sending them business. I do have the integrity to review things honestly, but for some reason it's a law that you have to tellsomeone that you make money when you recommend something. I'm guessing some liberal somewhere decided that "the internet" needed govt assistance to function. I'm
guessing it was also a liberal that forced the law on hair dryers and toasters saying not to use them in the bathtub... just a guess though.
Copyright James Fraze, LLC 20012014| Privacy Policy | Sitemap | Contact