Beruflich Dokumente
Kultur Dokumente
3/13/12 5:48 PM
Add 2-Factor Authentication to Your VPN Maintenance management simplified! www.MainBoss.com at Low Prices. Free Test Drive!
DigitalPersona.com/Multi_Factor_VPN
MainBoss CMMS
Articles
GNS3
Subscribe
Firewalls
Contact us
IDS/IPS Joomla
Sitemap
Downloads
Routers Switches UNIX / Linux VMware Microsoft General Info Load Balancers
Programming
Firewalls Menu
Check Point Cisco Juniper
Search...
Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here. netscreen(M)-> get ike cookie | i [remote peer ip] 80522f/0003, [local peer]:500->[remote peer]:500, PRESHR/grp2/AES256/SHA, xchg(5) (Example/grp-1/usr1)
www.networkstraining.com/asa
Gateway Vpn
Search Thousands of Catalogs for Gateway Vpn
www.globalspec.com
Confirm Phase 2
From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled. netscreen(M)-> get sa | i [peer ip] 00000007< [peer ip] 500 esp:3des/md5 00000007> [peer ip] 500 esp:3des/md5 Using the SA ID we can confirm additional details of the Phase 2 SA. netscreen(M)-> get sa id 0x00000007 index 49, name Example, peer gateway ip [remote peer]. vsys<Root> auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 662, peer id 52, NSRP Active. Vsd 0 site-to-site. Local interface is ethernet5 <[local peer]>. esp, group 0, a256 encryption, sha1 authentication autokey, IN active, OUT active monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x2067 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0 ike activity timestamp: 590051543 nat-traversal map not available incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline life 86400 sec, 19761 remain, 0 kb, 0 bytes remain anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, idled 0 seconds next pak sequence number: 0x0 outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline life 86400 sec, 19761 remain, 0 kb, 0 bytes remain anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds next pak sequence number: 0x89j9c
zbcA14zz fbcb64ee
22 0 -1 0
http://fir3net.com/Netscreen/troubleshooting-a-netscreen-site-2-site-vpn.html
Page 1 of 3
3/13/12 5:48 PM
Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic. netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint] netscreen(M)-> undebug all netscreen(M)-> clear db netscreen(M)-> debug ike basic netscreen(M)-> debug flow basic netscreen(M)-> get db str ! ! Permitted by policy 109 No src xlate choose interface ethernet5 as outgoing phy if check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5 vsd 0 is active no loop on ifp ethernet5. session application type 0, name None, nas_id 0, timeout 60sec service lookup identified service 0. flow_first_final_check: in <ethernet2>, out <ethernet5> existing vector list 25-6870620. Session (id:127345) created for first pak 25 flow_first_install_session======> cache mac in the session make_nsp_ready_no_resolve() search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr trust-vr for vsd-0/flag3000/ifp-ethernet2 [Dest] 10.route [local endpoint]->[next hop], to ethernet2 route to [next hop] nsrp msg sent. flow got session. flow session id 127345 vsd 0 is active skipping pre-frag going into tunnel 40000266. flow_encrypt: pipeline. chip info: DMA. Tunnel id 00000266 (vn2) doing ESP encryption and size =64 ipsec encrypt prepare engine done ipsec encrypt set engine done ipsec encrypt engine released ipsec encrypt done put packet(557a0f0) into flush queue. remove packet(557a0f0) out from flush queue. If the tunnel does not come up you can use the following debug: netscreen(M)-> ike detail set sa-filter [IP]
Event Logs
In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs. netscreen(M)-> get event include [peer ip]
Related Articles
Troubleshooting a Site to Site VPN on a SRX Series Gateway Creating a Certificate Based Site to Site VPN between 2 Check Point Gateways Netscreen - Additional Site 2 Site VPN Options Configuring a Pre-Shared Site to Site VPN between 2 Cisco Routers Enabling a serial connection when booting a Redhat Server into Single User mode. Creating a VLAN Trunk on a Netscreen Firewall Creating a basic Route Based VPN between 2 Check Point Firewalls Troubleshooting Interface Drops
Latest Articles
Juniper SRX - NAT Juniper SRX - How to configure a route based VPN Juniper SRX - Dynamic VPN Juniper SRX - How to configure a policy based VPN Brocade ADX - NAT Brocade ADX - CSW nested rules How do I upgrade a Juniper SRX Series gateway
Popular
Proxy ARP SPLAT Check Point Commands IPSO - Commands ASA 8.3 - How to configure NAT vSphere - Creating User and Group Permissions PEMU - Free Cisco PIX Firewall Emulator / Simulator Configuring Wireless Connectivity within Backtrack 4 r2
http://fir3net.com/Netscreen/troubleshooting-a-netscreen-site-2-site-vpn.html
Page 2 of 3
3/13/12 5:48 PM
Cisco ASA - How do I capture ARP`s ? Juniper SRX - Configuring Source NAT with pool Running a packet capture on a Juniper SRX Tool - SSLReport Brocade ADX - How to perform an image upgrade Cisco ASA reboots/crashes when running the command 'show service-policy interface outside set connection detail' Brocade ADX - Persistence How to define a port range on a Juniper SRX Path MTU Discovery (PMTUD) / Path MTU Black Holes Mitigating DoS attacks on a Cisco ASA How do I clear the Cisco ASA connection counters ? High CPU Usage on a Cisco CSS How to clone a MySQL database
Juniper Netscreen Commands Juniper Netscreen - NAT Explained ESX Convertor - The session is not authenticated How do I install snmpwalk / snmpget using Yum ? Netscreen - NSRP ESX - ViClient Cannot connect to host Troubleshooting a Netscreen Site 2 Site VPN Endpoint Connect Installation / Troubleshooting Guide Check Point - How to Reset SIC ESXi - Connecting to a named pipe ESXi White Box - HP DL140 Netscreen - Routing Basics / Virtual Routers / PBR Check Point - Client vs Server Side NAT
http://fir3net.com/Netscreen/troubleshooting-a-netscreen-site-2-site-vpn.html
Page 3 of 3