Wednesday, June 29, 2016

Training - VPN Troubleshooting

Locate Source of Encryption Failures


[Expert@a-gw:0]# vpn debug
 Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size(Mb) ]| ikeoff | trunc [ DEBUG_TOPIC=level ] | truncon [ DEBUG_TOPIC=level ] | truncoff | timeon [ SECONDS ] | timeoff | ikefail [ -s size(Mb) ]| mon | moff | say [ string ] >
[Expert@a-gw:0]#



vpnd.elg



A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant for Check Point NGX firewall, but is not a complete VPN Debugging Guide.

DEBUGGING INSTRUCTIONS:

From the command line ( if cluster, active member )
  • vpn debug on
  • vpn debug ikeon
  • vpn tu
  • select the option to delete IPSEC+IKE SAs for a given peer (gw)
  • Try the traffic to bring up the tunnel
  • vpn debug ikeoff
  • vpn debug off
Log Files are
  • $FWDIR/log/ike.elg
  • $FWDIR/log/vpnd.elg

COMMON MESSAGES:

According to the Policy the Packet should not have been decrypted
  • The networks are not defined properly or have a typo
  • Make sure VPN domains under gateway A are all local to gateway A
  • Make sure VPN domains under gateway B are all local to gateway B

Wrong Remote Address

Failed to match proposal

  • sk21636 – cisco side not configured for compression

No response from peer

  • check encryption domains.
  • remote end needs a decrypt rule
  • remote firewall not setup for encryption
  • somethign is blocking communication between VPN endpoints
  • Check UDP 500 and protocol 50

No Valid SA

  • both ends need the same definition for the encrytpion domain.
  • sk19243 – (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
  • likely phase2 settings
  • cisco might say ‘no proxy id allowed”
  • Disable NAT inside VPN community
  • Support Key exchange for subnets is properly configured
  • Make sure firewall external interface is in public IP in general properties

No Proposal chosen

  • sk19243 – usually cuased when a peer does not agree to VPN Domain or subnet mask
  • make sure that encryption and hash match as well in Phase 2 settings

Cannot Identify Peer (to encryption connection)

  • sk22102 – rules refer to an object that is not part of the local firewalls encryption domain
  • may have overlapping encryption domains
  • 2 peers in the same domain
  • sk18972 – explains overlapping

Invalid ID

  • sk25893 – Gateway: VPN-> VPN Advanced, Clear “Support key exhcnage for subnets”, Install policy

Authentication Failure

Payload Malformed

  • check pre shared secrets

RESPONDER-LIFETIME

  • As seen in ike debugs, make sure they match on both ends

Invalid Certificate

  • sk17106 – Remote side peer object is incorrectly configured
  • sk23586 – nat rules are needed
  • sk18805 – multiple issues, define a static nat, add a rule, check time
  • sk25262 – port 18264 has problems
  • sk32648 – port 18264 problems v2
  • sk15037 – make sure gateway can communicate with management

No Valid CRL

  • sk32721 – CRL has expired, and module can’t get a new valid CRL

AddNegotiation

  • FW-1 is handling more than 200 key negotiations at once
  • vSet maximum concurrent IKE connections

Could not get SAs from packet

FW MONITOR NOTES

  • packet comes back i I o O
  • packet will be ESP between o and O

BASIC STUFF TO CHECK IN THE CONFIGURATION:

Accept FW-1 Control Connections

VPN domains

  • setup in the topology of that item
  • using topology is recommended, but you must define
  • looking for overlap, or missing networks.
  • Check remote and local objects.

Encryption Domains

  • your firewall contains your networks
  • their firewall contains their networks

Rule Setup

  • you need a rule for the originator.
  • Reply rule is only required for 2 way tunnel

Preshared secret or certificate

  • Make sure times are accurate

Security rulebase

  • make sure there are rules to allow the traffic

Address Translation

  • be aware that this will effect the Phase 2 negotiations
  • most people disable NAT in the community

Community Properties

  • Tunnel management, Phase1 Phase2 encrypt settings.

Link selection

Routing

  • make sure that the destination is routed across the interface that you want it to encrypt on
  • you need IP proto 50 and 51 fo IPSEC related traffic
  • you need port 500 UDP for IKE
  • netstat -rn and look for a single valid default route

Smartview Tracker Logs

  • purple = encrypted
  • red = dropped
  • green = no encryption

TRADITIONAL MODE NOTES

  • can’t VPN Route
  • encryption happens when you hit explicit rule
  • rules must be created

SIMPLIFIED MODE NOTES

  • VPN Communities
  • Encryption happens at rule 0
  • rules are implied

CHECKLIST

  • Define encryption domains for each site
  • Define firewall workstation objects for each site
  • Configure the gateway objects for the correct encryption domain
  • Configure the extranet community with the appropriate gateways and objects
  • Create the necessary encryption rules.
  • Configure the encryption properties for each encryption rule.
  • Install the security Policy

IKE PACKET MODE QUICK REFERENCE

  • – > outgoing
  • < – incoming
PHASE 1 (MAIN MODE)
  • 1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
  • 2 < agree on one encryption & hash, responder cookie (clear text)
  • 3 > random numbers sent to prove identity (if it fails here, reinstall)
  • 4 < random numbers sent to prove identity (if it fails here, reinstall)
  • 5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
  • 6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets
PHASE 2 (QUICK MODE)
  • 1 > Use a subnet or a host ID, Encryption, hash, ID data
  • 2 < agrees with it’s own subnet or host ID and encryption and hash
  • 3 > completes IKE negotiation

GOOD SKS to KNOW

  • sk31221 – The NGX Advanced Troubleshooting Reference Guide (ATRG)
  • sk26362 – Troubleshooting MTU related issues
  • sk30509 – Configuring VPN-1/FireWall-1
  • sk31567 – What is ike.elg?
  • sk20277 – “Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01)” appears
  • sk31279 – Files copied over encrypted tunnel displaying error: “network path is too deep”
  • sk32648 – Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails
  • sk19243 – largest possible subnet even when the largest_possible_subnet option is set to false
  • sk31619 – VPN tunnel is down troubleshooting
  • sk19599 – how to edit user.def for largest possible subnets & host only