4/23/2014 Check Point VPN Debugging Guide

http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 1/6
Check Point Firewall
Perl
Juniper
Debian
Spyware Removal
Apache
Troubleshooting
Windows 7
Contact
Services Offered
Network Security Engineer Notes
Checkpoint, Cisco, Perl, Tufin, VMWare, Windows, Palo Alto, Juniper, Bluecoat
Check Point VPN Debugging Guide
in Check Point Firewall
A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant for
Check Point NGX firewall, but is not a complete VPN Debugging Guide.
DEBUGGING INSTRUCTIONS:
From the command line ( if cluster, active member )
vpn debug on
vpn debug ikeon
vpn tu
select the option to delete IPSEC+IKE SAs for a given peer (gw)
Try the traffic to bring up the tunnel
vpn debug ikeoff
vpn debug off
Log Files are
$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg
COMMON MESSAGES:
According to the Policy the Packet should not have been decrypted
The networks are not defined properly or have a typo
Make sure VPN domains under gateway A are all local to gateway A
Make sure VPN domains under gateway B are all local to gateway B
Wrong Remote Address
Failed to match proposal
sk21636 cisco side not configured for compression
No response from peer
check encryption domains.
remote end needs a decrypt rule
remote firewall not setup for encryption
somethign is blocking communication between VPN endpoints
Check UDP 500 and protocol 50
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 2/6
No Valid SA
both ends need the same definition for the encrytpion domain.
sk19243 (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
likely phase2 settings
cisco might say no proxy id allowed
Disable NAT inside VPN community
Support Key exchange for subnets is properly configured
Make sure firewall external interface is in public IP in general properties
No Proposal chosen
sk19243 usually cuased when a peer does not agree to VPN Domain or subnet mask
make sure that encryption and hash match as well in Phase 2 settings
Cannot Identify Peer (to encryption connection)
sk22102 rules refer to an object that is not part of the local firewalls encryption domain
may have overlapping encryption domains
2 peers in the same domain
sk18972 explains overlapping
Invalid ID
sk25893 Gateway: VPN-> VPN Advanced, Clear Support key exhcnage for subnets, Install policy
Authentication Failure
Payload Malformed
check pre shared secrets
RESPONDER-LIFETIME
As seen in ike debugs, make sure they match on both ends
Invalid Certificate
sk17106 Remote side peer object is incorrectly configured
sk23586 nat rules are needed
sk18805 multiple issues, define a static nat, add a rule, check time
sk25262 port 18264 has problems
sk32648 port 18264 problems v2
sk15037 make sure gateway can communicate with management
No Valid CRL
sk32721 CRL has expired, and module cant get a new valid CRL
AddNegotiation
FW-1 is handling more than 200 key negotiations at once
vSet maximum concurrent IKE connections
Could not get SAs from packet
FW MONITOR NOTES
packet comes back i I o O
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 3/6
packet will be ESP between o and O
BASIC STUFF TO CHECK IN THE CONFIGURATION:
Accept FW-1 Control Connections
VPN domains
setup in the topology of that item
using topology is recommended, but you must define
looking for overlap, or missing networks.
Check remote and local objects.
Encryption Domains
your firewall contains your networks
their firewall contains their networks
Rule Setup
you need a rule for the originator.
Reply rule is only required for 2 way tunnel
Preshared secret or certificate
Make sure times are accurate
Security rulebase
make sure there are rules to allow the traffic
Address Translation
be aware that this will effect the Phase 2 negotiations
most people disable NAT in the community
Community Properties
Tunnel management, Phase1 Phase2 encrypt settings.
Link selection
Routing
make sure that the destination is routed across the interface that you want it to encrypt on
you need IP proto 50 and 51 fo IPSEC related traffic
you need port 500 UDP for IKE
netstat -rn and look for a single valid default route
Smartview Tracker Logs
purple = encrypted
red = dropped
green = no encryption
TRADITIONAL MODE NOTES
cant VPN Route
encryption happens when you hit explicit rule
rules must be created
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 4/6
SIMPLIFIED MODE NOTES
VPN Communities
Encryption happens at rule 0
rules are implied
CHECKLIST
Define encryption domains for each site
Define firewall workstation objects for each site
Configure the gateway objects for the correct encryption domain
Configure the extranet community with the appropriate gateways and objects
Create the necessary encryption rules.
Configure the encryption properties for each encryption rule.
Install the security Policy
IKE PACKET MODE QUICK REFERENCE
- > outgoing
< incoming
PHASE 1 (MAIN MODE)
1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
2 < agree on one encryption & hash, responder cookie (clear text)
3 > random numbers sent to prove identity (if it fails here, reinstall)
4 < random numbers sent to prove identity (if it fails here, reinstall)
5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets
PHASE 2 (QUICK MODE)
1 > Use a subnet or a host ID, Encryption, hash, ID data
2 < agrees with its own subnet or host ID and encryption and hash
3 > completes IKE negotiation
GOOD SKS to KNOW
sk31221 The NGX Advanced Troubleshooting Reference Guide (ATRG)
sk26362 Troubleshooting MTU related issues
sk30509 Configuring VPN-1/FireWall-1
sk31567 What is ike.elg?
sk20277 Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01) appears
sk31279 Files copied over encrypted tunnel displaying error: network path is too deep
sk32648 Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails
sk19243 largest possible subnet even when the largest_possible_subnet option is set to false
sk31619 VPN tunnel is down troubleshooting
sk19599 how to edit user.def for largest possible subnets & host only
{ 4 comments read them below or add one }
Aravind April 29, 2011 at 7:49 am
Hats off friend..I got a real confidence of doing Checkpoint exams after seeing your bloghurray its very
useful..thanks..this is Aravind from India..
Reply
James June 22, 2011 at 9:40 pm
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 5/6
The first exam was the hardest it was full of marketing buzz instead of practical knowledge. The rest
became easier and easier because they were more technical.
Reply
Prakash September 4, 2012 at 9:33 pm
very good article for Checkpoint VPN troubleshooting
Reply
James September 5, 2012 at 5:38 am
Thank you Prakash.
Reply
Leave a Comment
Name *
E-mail *
Website
Submit
Previous post: Perl Check Open Ports
Next post: Check Point SPLAT Commands
Search for: Search
Horses Mouth
Juniper SRX CLI Troubleshooting Config and Software
Juniper SRX CLI Troubleshooting Routing
How to Use PAR with Strawberry Perl
Test List of URLs for Fastest Response
Bash Script to SCP Old Log Files in Check Point
He Said, She Said
James on Check Point SPLAT Commands
abdulet on Find UTM-1 Check Point Appliance Model from CLI
Jayakumar Robert on Find UTM-1 Check Point Appliance Model from CLI
4/23/2014 Check Point VPN Debugging Guide
http://digitalcrunch.com/check-point-firewall/check-point-vpn-debugging-guide/ 6/6
Greg on Check Point SPLAT Commands
evan on Find UTM-1 Check Point Appliance Model from CLI
jlu on Find UTM-1 Check Point Appliance Model from CLI
Computer Security Links
BackTrack
Black Hat
Bluecoat
Cisco Security
CPUG
Juniper
Linux Security Checklist
Palo Alto Networks
Snort
SolarWinds
US Cert
I agree
Occasionally the tree of Liberty must be watered with the blood of Patriots and Tyrants.
- Thomas Jefferson
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
Everyone has a plan 'till they get punched in the mouth.
- Mike Tyson
Disclaimer
I hope I offend some liberal somewhere, but not all of them, I mean we do need someone to supervise the hand out lines right? Also, I get paid for things on this site. As
in, I recommend products and they pay me for sending them business. I do have the integrity to review things honestly, but for some reason it's a law that you have to tell
someone that you make money when you recommend something. I'm guessing some liberal somewhere decided that "the internet" needed govt assistance to function. I'm
guessing it was also a liberal that forced the law on hair dryers and toasters saying not to use them in the bathtub... just a guess though.
Copyright James Fraze, LLC 20012014| Privacy Policy | Sitemap | Contact