Categories
Check Point

Check Point VPN Debugging Guide

A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant for Check Point NGX firewall, but is not a complete VPN Debugging Guide.

DEBUGGING INSTRUCTIONS:

From the command line ( if cluster, active member )

  • vpn debug on
  • vpn debug ikeon
  • vpn tu
  • select the option to delete IPSEC+IKE SAs for a given peer (gw)
  • Try the traffic to bring up the tunnel
  • vpn debug ikeoff
  • vpn debug off

Log Files are

  • $FWDIR/log/ike.elg
  • $FWDIR/log/vpnd.elg

COMMON MESSAGES:

According to the Policy the Packet should not have been decrypted

  • The networks are not defined properly or have a typo
  • Make sure VPN domains under gateway A are all local to gateway A
  • Make sure VPN domains under gateway B are all local to gateway B

Wrong Remote Address

Failed to match proposal

  • sk21636 – cisco side not configured for compression

No response from peer

  • check encryption domains.
  • remote end needs a decrypt rule
  • remote firewall not setup for encryption
  • somethign is blocking communication between VPN endpoints
  • Check UDP 500 and protocol 50

No Valid SA

  • both ends need the same definition for the encrytpion domain.
  • sk19243 – (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
  • likely phase2 settings
  • cisco might say ‘no proxy id allowed”
  • Disable NAT inside VPN community
  • Support Key exchange for subnets is properly configured
  • Make sure firewall external interface is in public IP in general properties

No Proposal chosen

  • sk19243 – usually cuased when a peer does not agree to VPN Domain or subnet mask
  • make sure that encryption and hash match as well in Phase 2 settings

Cannot Identify Peer (to encryption connection)

  • sk22102 – rules refer to an object that is not part of the local firewalls encryption domain
  • may have overlapping encryption domains
  • 2 peers in the same domain
  • sk18972 – explains overlapping

Invalid ID

  • sk25893 – Gateway: VPN-> VPN Advanced, Clear “Support key exhcnage for subnets”, Install policy

Authentication Failure

Payload Malformed

  • check pre shared secrets

RESPONDER-LIFETIME

  • As seen in ike debugs, make sure they match on both ends

Invalid Certificate

  • sk17106 – Remote side peer object is incorrectly configured
  • sk23586 – nat rules are needed
  • sk18805 – multiple issues, define a static nat, add a rule, check time
  • sk25262 – port 18264 has problems
  • sk32648 – port 18264 problems v2
  • sk15037 – make sure gateway can communicate with management

No Valid CRL

  • sk32721 – CRL has expired, and module can’t get a new valid CRL

AddNegotiation

  • FW-1 is handling more than 200 key negotiations at once
  • vSet maximum concurrent IKE connections

Could not get SAs from packet

FW MONITOR NOTES

  • packet comes back i I o O
  • packet will be ESP between o and O

BASIC STUFF TO CHECK IN THE CONFIGURATION:

Accept FW-1 Control Connections

VPN domains

  • setup in the topology of that item
  • using topology is recommended, but you must define
  • looking for overlap, or missing networks.
  • Check remote and local objects.

Encryption Domains

  • your firewall contains your networks
  • their firewall contains their networks

Rule Setup

  • you need a rule for the originator.
  • Reply rule is only required for 2 way tunnel

Preshared secret or certificate

  • Make sure times are accurate

Security rulebase

  • make sure there are rules to allow the traffic

Address Translation

  • be aware that this will effect the Phase 2 negotiations
  • most people disable NAT in the community

Community Properties

  • Tunnel management, Phase1 Phase2 encrypt settings.

Link selection

Routing

  • make sure that the destination is routed across the interface that you want it to encrypt on
  • you need IP proto 50 and 51 fo IPSEC related traffic
  • you need port 500 UDP for IKE
  • netstat -rn and look for a single valid default route

Smartview Tracker Logs

  • purple = encrypted
  • red = dropped
  • green = no encryption

TRADITIONAL MODE NOTES

  • can’t VPN Route
  • encryption happens when you hit explicit rule
  • rules must be created

SIMPLIFIED MODE NOTES

  • VPN Communities
  • Encryption happens at rule 0
  • rules are implied

CHECKLIST

  • Define encryption domains for each site
  • Define firewall workstation objects for each site
  • Configure the gateway objects for the correct encryption domain
  • Configure the extranet community with the appropriate gateways and objects
  • Create the necessary encryption rules.
  • Configure the encryption properties for each encryption rule.
  • Install the security Policy

IKE PACKET MODE QUICK REFERENCE

  • – > outgoing
  • < – incoming

PHASE 1 (MAIN MODE)

  • 1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
  • 2 < agree on one encryption & hash, responder cookie (clear text)
  • 3 > random numbers sent to prove identity (if it fails here, reinstall)
  • 4 < random numbers sent to prove identity (if it fails here, reinstall)
  • 5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
  • 6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets

PHASE 2 (QUICK MODE)

  • 1 > Use a subnet or a host ID, Encryption, hash, ID data
  • 2 < agrees with it’s own subnet or host ID and encryption and hash
  • 3 > completes IKE negotiation

GOOD SKS to KNOW

  • sk31221 – The NGX Advanced Troubleshooting Reference Guide (ATRG)
  • sk26362 – Troubleshooting MTU related issues
  • sk30509 – Configuring VPN-1/FireWall-1
  • sk31567 – What is ike.elg?
  • sk20277 – “Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01)” appears
  • sk31279 – Files copied over encrypted tunnel displaying error: “network path is too deep”
  • sk32648 – Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails
  • sk19243 – largest possible subnet even when the largest_possible_subnet option is set to false
  • sk31619 – VPN tunnel is down troubleshooting
  • sk19599 – how to edit user.def for largest possible subnets & host only

7 replies on “Check Point VPN Debugging Guide”

Hats off friend..I got a real confidence of doing Checkpoint exams after seeing your blog…hurray its very useful..thanks..this is Aravind from India.. 🙂 🙂

The first exam was the hardest – it was full of marketing buzz instead of practical knowledge. The rest became easier and easier because they were more technical.

Hi
Do we have any feasibility that we can check the Pr-shared key over the command line in checkpoint firewall R77 or R65.
Note : VPN is up and running …but i want to see the Pr-shared key over the cli for the specific Gateway.
Thanks
Panjala

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.