Checkpoint VPN Troubleshooting

Trouble shooting VPNs is covered ad infinitum in the Check Point Management II/III courseware... It's fair to say over 95% of problems are a result of configuration or cross vendor compatibility issues. Make sure you read ! Most VPN debugging consists of looking at the IKE negotiation although first you should check that connectivity actually exists between the two peers. If I ping does the other end see it! Can both sides see the IKE packets arriving during a key exchange? You need to understand the IKE process to be able to debug. IKE negotiation consists of two phases - Phase I (Main mode which is six packets) and Phase II (Quick Mode which is three packets). The $FWDIR/log/ike.elg file contains this information (once debugging is enabled). To enable debugging, you need to login to your firewall and enter the command "vpn debug on; vpn debug ikeon" or "vpn debug trunc". Check Point have a tool called IKEView.exe which parses the information of ike.elg into a GUI making this easier to view. Note that another useful tool is "vpn debug on mon" which writes all of the IKE captured data into a file ikemonitor.snoop which you can open with wireshark or ethereal. So Phase I negotiates encryption methods (DES/3DES/AES etc), the key length, the hash Algorithm (MD5/SHA1) and creates a key to protect the messages of the exchange. It does this in 5 stages: 1. Peers Authenticate using Certificates or a pre-shared secret. 2. Each peer generates a private Diffie-Hellman key from random bits and from that derives a DH public key. These are then exchanged. 3. Each peer generates a shared secret from its private key and its peers public key, this is the DH key. 4. The peers exchange DH Key material (random bits and mathematical data) and methods for PhaseII are agreed for encryption and integrity. 5. Each side generates a symmetric key (based upon the DH key and key material exchanged).

In IkeView under the IP address of the peer, open the Main Mode Packet 1 - expand : > "P1 Main Mode ==>" for outgoing or "P1 Main Mode <==" for incoming > MM Packet 1 > Security Association > prop1 PROTO_ISAKMP > tran1 KEY_IKE You should then be able see the proposed Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, DH Group, and SA renegotiation params (life type usually secs and duration). If your encryption fails in Main Mode Packet 1, then you need to check your VPN communities.

Packet 2 ( MM Packet 2 in the trace ) is from the responder to agree on one encryption and hash algorithm Packets 3 and 4 arent usually used when troublshooting. 3. signed and returned to prove the parties identity. Peers exchange key material and agree encryption and integrity methods for IPSec. There are two ID fields in a QM packet. Phase II occurs in 3 stages: 1. Packet 3 completes the IKE negotiation. Phase II failures are generatlly due to a misconfigured VPN domain. If your encryption fails in Main Mode Packet 5. The NONCE is a set of never before used random numbers sent to the other part. Duration. expand Quick Mode packet 1: > "P2 Quick Mode ==>" for outgoing or "P2 Quick Mode <==" for incoming > QM Packet 1 > Security Association > prop1 PROTO_IPSEC_ESP > tran1 ESP_AES (for an AES encrypted tunnel) You should be able to see the SA life Type. If all of this works without any errors. They perform key exchanges and include a large number called a NONCE. then you need to check the authentication Certificates or pre-shared secrets Next is Phase II . In IkeView under the IP address of the peer. Packets 5 and 6 perform the authentication between the peers. the shared secret key material used for the SA is determined and there is an additional DH exchange. Encapsulation Mode and Key length. Under > QM Packet 1 > ID You should be able to see the initiators VPN Domain configuration including the type (ID_IPV4_ADDR_SUBNET) and data (ID Data field). If your encryption fails here.the IPSec Security Associations (SAs) are negotiated. Symmetric IPSec keys are generated. Packet 2 from the responder agrees to its own subnet or host ID. The peers IP address shows in the ID field under MM packet 5. Under the second ID field you should be able to see the peers VPN Domain configuration. encryption and hash algorithm. The DH key is combined with the key material to produce the symmetrical IPSec key. 2. then you may have previously initiated an invalid . Packet 6 shows that the peer has agreed to the proposal and has authorised the host initiating the key exchange. Authentication Alg. it is one of the above Phase II settings that needs to be looked at.

First define the ISAKMP Policy. Used to verify the outgoing interface traffic .Now apply crypto map on the outside interface.tunnel previously. You can use the VPN tunnel utility "vpn tu" to remove SA keys from the table.Configure crypto map Used to verify the previously defined parameters 5. For example: • • • • 2.Configure crypto access list. Basic ASA Config on ASA Basic steps for VPN Configuration: 1. For example: • Esp-des • Esp-md5-hmac • Esp-aes • Asp-sha-hmac Authentication Hash Encryption Group 3.Establish IPsec transform set. For example: Define interesting traffics 4.

20 is ASA .10 is source address and 20.20 (100 is access list number and 20.1. ASA-A(config)#crypto isakmp key office address 20.1.20 (Here Key is "office" and 20.10 host 20.1.1.B Address) • Now create an access list to define only interesting traffic. ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac (Here encryption type is des and hashing technique is md5-hmac) ASA-A(config)#crypto map imap 10 ipsec-isakmp .1.A.1.1.First defined the IKE polices on ASA-A ASA-A(config)#crypto isakmp policy 10 (10 is isakmp policy number) ASA-A(config-isakmp)#encryption des (enable encryption des) ASA-A(config-isakmp)#hash md5 (enable algorithm md5 for hashing) ASA-A(config-isakmp)#authentication pre-share (enable Pre-shared method) ASA-A(config-isakmp)#group 2 (enable diffie-Helman group 2) ASA-A(config-isakmp)#exit (Exit from crypto isakmp mode) • The next step is to create a pre-shared key (password) on ASA . ASA-A(config)#access-list 100 permit ip host 20.) • Now create the transform-set for encryption and hashing.20 is destination address.1.

1.A interface ASA-A(config)# crypto map imap interface outside (Apply crypto map on outside interface) ASA-A(config)# crypto isakmp enable outside (To enable crypto isakmp on ASA) .(crypto map name imap) ASA-A(config)# crypto map imap 10 match address 100 (apply the access list) ASA-A(config)# crypto map imap 10 set transform-set ts2 (apply the transform set) ASA-A(config)# crypto map imap 10 set peer 20.20 (Set remote peer address) • Now apply the crypto map to the ASA .1.

Sign up to vote on this title
UsefulNot useful