Troubleshooting VPN in checkpoint

Level: - Intermediate
Platform: - checkpoint R61, R62, UTM, VPN-1, Nokia IP560, Nokia IP390
Keywords: - : VPN tu command, VPN phases 1 and phase 2, IKE, Ipsec
Author: - Dinesh Aggarwal

This article explains some of the troubleshooting tips that we can use for VPNs. If we go to smartview tracker in checkpoint then it shows many vpn messages including the traffic that is passing over the VPN. During troubleshooting our main focus becomes t see the messages that were exchanged or are being exchanged for phase-1 and phase-2 of VPN and to negotiate the keys. If the VPN traffic is very heavy it becomes difficult to see all these details. This articles explains the way out
In smart view tracker select VPN

Open smart view tracker in checkpoint. Click the VPN Tab. It will show all the VPN messages.In order to see specifically the logs which shows key exchanges and phase 1 and phase 2 completions put a filter in interface with keyword daemon as follow

Troubleshooting VPN in checkpoint

fig-1

Troubleshooting VPN in checkpoint

fig-2

Troubleshooting VPN in checkpoint

fig-3

It will show the messages like below.

Number:                                   961843
Date:                                        26Jul2007
Time:                                        11:33:55
Product:                                   VPN-1 Pro/Express
Interface:                                  daemon
Origin:                                      fwgf02
Type:                                        Log
Action:                                     Key Install
Source:                                     1.1.1.1
Destination:                               fwgf02 (10.100.1.8)
Source Key ID:                        0xf26b425a
Destination Key ID:                  0x3b80c78a
Encryption Scheme:                  IKE
VPN Peer Gateway:                 1.1.1.1
IKE Initiator Cookie:                414a684a5e1462d8
IKE Responder Cookie:           d4dfda96b683d753
IKE Phase2 Message ID:         891c8382
Encryption Methods:                 ESP: 3DES + MD5
Community:                              MyIntranet
Information:                              IKE: Quick Mode completion
IKE IDs: subnet: 10.100.1.0 (mask= 255.255.255.0) and subnet: 10.99.1.0 (mask= 255.255.255.0)
Subproduct:                              VPN
VPN Feature:                           IKE

Number:                                   961855
Date:                                        26Jul2007
Time:                                        11:33:56
Product:                                   VPN-1 Pro/Express
Interface:                                  daemon
Origin:                                      fwgf02
Type:                                        Log
Action:                                     Key Install
Source:                                     fwgf02 (10.100.1.8)
Destination:                               1.1.1.1
Source Key ID:                        0x0d69f183
Destination Key ID:                  0xab5f6f71
Encryption Scheme:                  IKE
VPN Peer Gateway:                 1.1.1.1
IKE Initiator Cookie:                414a684a5e1462d8
IKE Responder Cookie:           d4dfda96b683d753
IKE Phase2 Message ID:         3986fcff
Encryption Methods:                 ESP: 3DES + MD5
Community:                              MyIntranet
Information:                              IKE: Quick Mode completion
IKE IDs: subnet: 10.100.1.0 (mask= 255.255.255.0) and subnet: 10.99.12.0 (mask= 255.255.254.0)
Subproduct:                              VPN


VPN Feature:                           IKE

 

VPN tu command
Login to nokia firewall and do the following
vpn tu

**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

You have a lot of options available as shown above to do troubleshooting of VPN networks in checkpoint. This is a very good command for knowing a lot of information about the VPN configured on the firewall and its statictics.

Select 1

Peer 1.1.1.1:

        1. IKE SA <4a684a41d862145e,96dadfd453d783b6>:

Hit <Enter> key to continue ...
**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

Select 2

Peer 1.1.1.1:
INBOUND:
1. 0xb658e118
2. 0xec093901
3. 0x5f35f701
4. 0xd102765f
5. 0xc976026d
6. 0x65ac3553
7. 0x831e39d1
8. 0xdd8b5e9e
9. 0x7c192b3b
10. 0x282a5e1e
11. 0x38898c97
12. 0x5fc462b0
13. 0x3b80c78a
14. 0xd69f183
15. 0x906df55b
16. 0xf0e9c894
17. 0x25a1a35e
18. 0xc8583d0d
19. 0xe3b49a7c
20. 0x5d68ad2b
21. 0xb166cf63
22. 0x9a2bf346
OUTBOUND:
1. 0x2eb5ec6
2. 0xc977fa45
3. 0xe4cdd6f7
4. 0x2dd2d91b
5. 0xd58bec78
6. 0xbc7e4758
7. 0xbb557f6e
8. 0x77825ef9
9. 0xa1a4a9ed
10. 0xab9a0842
11. 0xdf24b2c1
12. 0x96c36b28
13. 0xf26b425a
14. 0xab5f6f71
15. 0x71aaec72
16. 0x8f5fcff9
17. 0xbb76ffe3
18. 0xf445d1ec
19. 0x24fc0a83
20. 0xf5730308
21. 0x8a4a7f45
22. 0xf5807a8d

 

Hit <Enter> key to continue ...
**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

q

Aborting ...

By this way you can see many things using VPN tu command and by filtering the vpn logs using daemon keyword on the interface.

If you have any suggestions or want to add more to this article do write us an email articles@knowurtech.com

What Next?


If you liked this article, you can share it with others using the following link:


Related Content :