Locate Source of Encryption Failures
[Expert@a-gw:0]# vpn debug
Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size(Mb) ]| ikeoff | trunc [ DEBUG_TOPIC=level ] | truncon [ DEBUG_TOPIC=level ] | truncoff | timeon [ SECONDS ] | timeoff | ikefail [ -s size(Mb) ]| mon | moff | say [ string ] >
[Expert@a-gw:0]#
vpnd.elg
A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant for Check Point NGX firewall, but is not a complete VPN Debugging Guide.
DEBUGGING INSTRUCTIONS:
From the command line ( if cluster, active member )
- vpn debug on
- vpn debug ikeon
- vpn tu
- select the option to delete IPSEC+IKE SAs for a given peer (gw)
- Try the traffic to bring up the tunnel
- vpn debug ikeoff
- vpn debug off
Log Files are
- $FWDIR/log/ike.elg
- $FWDIR/log/vpnd.elg
COMMON MESSAGES:
According to the Policy the Packet should not have been decrypted
- The networks are not defined properly or have a typo
- Make sure VPN domains under gateway A are all local to gateway A
- Make sure VPN domains under gateway B are all local to gateway B
Wrong Remote Address
Failed to match proposal
- sk21636 – cisco side not configured for compression
No response from peer
- check encryption domains.
- remote end needs a decrypt rule
- remote firewall not setup for encryption
- somethign is blocking communication between VPN endpoints
- Check UDP 500 and protocol 50
No Valid SA
- both ends need the same definition for the encrytpion domain.
- sk19243 – (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
- likely phase2 settings
- cisco might say ‘no proxy id allowed”
- Disable NAT inside VPN community
- Support Key exchange for subnets is properly configured
- Make sure firewall external interface is in public IP in general properties
No Proposal chosen
- sk19243 – usually cuased when a peer does not agree to VPN Domain or subnet mask
- make sure that encryption and hash match as well in Phase 2 settings
Cannot Identify Peer (to encryption connection)
- sk22102 – rules refer to an object that is not part of the local firewalls encryption domain
- may have overlapping encryption domains
- 2 peers in the same domain
- sk18972 – explains overlapping
Invalid ID
- sk25893 – Gateway: VPN-> VPN Advanced, Clear “Support key exhcnage for subnets”, Install policy
Authentication Failure
Payload Malformed
RESPONDER-LIFETIME
- As seen in ike debugs, make sure they match on both ends
Invalid Certificate
- sk17106 – Remote side peer object is incorrectly configured
- sk23586 – nat rules are needed
- sk18805 – multiple issues, define a static nat, add a rule, check time
- sk25262 – port 18264 has problems
- sk32648 – port 18264 problems v2
- sk15037 – make sure gateway can communicate with management
No Valid CRL
- sk32721 – CRL has expired, and module can’t get a new valid CRL
AddNegotiation
- FW-1 is handling more than 200 key negotiations at once
- vSet maximum concurrent IKE connections
Could not get SAs from packet
FW MONITOR NOTES
- packet comes back i I o O
- packet will be ESP between o and O
BASIC STUFF TO CHECK IN THE CONFIGURATION:
Accept FW-1 Control Connections
VPN domains
- setup in the topology of that item
- using topology is recommended, but you must define
- looking for overlap, or missing networks.
- Check remote and local objects.
Encryption Domains
- your firewall contains your networks
- their firewall contains their networks
Rule Setup
- you need a rule for the originator.
- Reply rule is only required for 2 way tunnel
Preshared secret or certificate
- Make sure times are accurate
Security rulebase
- make sure there are rules to allow the traffic
Address Translation
- be aware that this will effect the Phase 2 negotiations
- most people disable NAT in the community
Community Properties
- Tunnel management, Phase1 Phase2 encrypt settings.
Link selection
Routing
- make sure that the destination is routed across the interface that you want it to encrypt on
- you need IP proto 50 and 51 fo IPSEC related traffic
- you need port 500 UDP for IKE
- netstat -rn and look for a single valid default route
Smartview Tracker Logs
- purple = encrypted
- red = dropped
- green = no encryption
TRADITIONAL MODE NOTES
- can’t VPN Route
- encryption happens when you hit explicit rule
- rules must be created
SIMPLIFIED MODE NOTES
- VPN Communities
- Encryption happens at rule 0
- rules are implied
CHECKLIST
- Define encryption domains for each site
- Define firewall workstation objects for each site
- Configure the gateway objects for the correct encryption domain
- Configure the extranet community with the appropriate gateways and objects
- Create the necessary encryption rules.
- Configure the encryption properties for each encryption rule.
- Install the security Policy
IKE PACKET MODE QUICK REFERENCE
- – > outgoing
- < – incoming
PHASE 1 (MAIN MODE)
- 1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
- 2 < agree on one encryption & hash, responder cookie (clear text)
- 3 > random numbers sent to prove identity (if it fails here, reinstall)
- 4 < random numbers sent to prove identity (if it fails here, reinstall)
- 5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
- 6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets
PHASE 2 (QUICK MODE)
- 1 > Use a subnet or a host ID, Encryption, hash, ID data
- 2 < agrees with it’s own subnet or host ID and encryption and hash
- 3 > completes IKE negotiation
GOOD SKS to KNOW
- sk31221 – The NGX Advanced Troubleshooting Reference Guide (ATRG)
- sk26362 – Troubleshooting MTU related issues
- sk30509 – Configuring VPN-1/FireWall-1
- sk31567 – What is ike.elg?
- sk20277 – “Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01)” appears
- sk31279 – Files copied over encrypted tunnel displaying error: “network path is too deep”
- sk32648 – Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails
- sk19243 – largest possible subnet even when the largest_possible_subnet option is set to false
- sk31619 – VPN tunnel is down troubleshooting
- sk19599 – how to edit user.def for largest possible subnets & host only