Thursday, June 16, 2011

Enabling IKE and VPN debugging


SOLUTION
Commands used to debug IKE and VPN failures are entered on the Security Gateway involved in the VPN communication. There is no overhead on the Security Gateway due to enabling debugging mode. The Security Gateway does not require a restart or reboot to enable debugging mode. The output is written in a text format to the respective file(s) in the $FWDIR\log directory.

The vpn debug on command activates debugging mode of VPND, the vpn daemon. Debug output will be written to the$FWDIR\log\vpnd.elg file. In order to turn it off, simply type vpn debug off.

The vpn debug ikeon command turns on IKE debugging mode. IKE packets will be written to the $FWDIR\log\ike.elgfile. In order to turn it off, simply type vpn debug ikeoff.

vpn debug trunc empties the ike.elg file, adds a stamp line "...TRUNCATE issued..." and enables both VPN and IKE debugging.

For VSX NGX, VSX NGX R65, VSX NGX R67
  • The vpn -vs <vsid> debug on command activates debugging mode of VPND, the vpn daemon.
  • The vpn -vs <vsid> debug ikeon command turns on IKE debugging mode.
  • vpn -vs <vsid> debug trunc empties the ike.elg file, adds a stamp line "...TRUNCATE issued..." and enables both VPN and IKE debugging.
How to generate a valid ike debug, vpn debug and fw monitor



SOLUTION
It is very helpful to gather the IKE information in both directions by having both endpoints initiate communications at different times so you can see what each machine proposes to the other and then reconcile the differences. Generate debugs for ike and vpnd on both endpoints.

These debugs are valid for VPN connections between SecureClient and Security Gateways, as well as for site to site VPN connections.
Note: This article is also relevant for site to site VPN with 3rd Part Security Gateways.

Follow the steps below to generate debug information:

Note: For SecurePlatform you must be logged in as Expert.

  1. Initiate vpn debug on both Security Gateways from the CLI:

    # vpn debug trunc

    Notes:

    • # vpn debug trunc initiates both vpn debug and ike debug. # vpn debug on only initiates vpn debug.
    • If you need the level of detail provided by TDERROR_ALL_ALL=5, then you need to run: vpn debug on TDERROR_ALL_ALL=5.

  2. Initiate packet capture on both Security Gateways (or tcpdump, or Wireshark pcap):

    Note: You can press "Alt + F1" to open a second terminal, or open a second ssh session, or (for Windows) open a second command prompt.

    # fw monitor -e "accept;" -o monitor.out

    or

    fw monitor -e "accept sport=500 or dport=500;" -o monitor.out

    Note: Since VPN-1 Pro NGX R60, you can also run

    # fw monitor -e "accept port(500) or port(4500);" -o monitor.out

    or

    # vpn debug mon

    If you run # vpn debug mon, the output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear. Whereas, in monitor.out, all the IKE payloads are encrypted.
  3. Run vpn tu.

    Note: Before running vpn tu, kill all traffic over the VPN.
  4. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)".
  5. Enter your remote Security Gateway IP address.
  6. Exit the utility.

    Important This procedure closes open VPN tunnels. It may be useful, in that, the next time communication is attempted, you will capture the VPN tunnel creation information. Please be aware that existing VPN tunnels with this remote peer will be closed and will have to be reestablished. This is especially important in a Production environment.
  7. Reproduce the issue, attempt to connect FROM YOUR NETWORK to a device in the remote encryption domain. This initiates the tunnel.
  8. Run vpn tu.

    Note: Before running vpn tu, kill all traffic over the VPN.
  9. Then select the option that reads "Delete all IPsec+IKE SAs for a given peer (GW)".
  10. Enter your remote Security Gateway IP address.
  11. Exit the utility.
  12. Reproduce the issue, attempt to connect FROM THE REMOTE NETWORK to a device in the local encryption domain. This initiates the tunnel.
  13. Stop vpn debug on both Security Gateways:

    # vpn debug off

    # vpn debug ikeoff


    Notes:

    • If you used vpn debug on TDERROR_ALL_ALL=5, you only have to run # vpn debug off.
    • If you run # vpn debug mon, you need to run # vpn debug moff.

  14. Stop packet capture by pressing "CTRL+C".
  15. Please send the following files from the Security Gateways to Check Point Support:
    • $FWDIR/log/ike.elg
    • $FWDIR/log/vpnd.elg
    • monitor.out
    • ikemonitor.snoop.

What information is required to troubleshoot the VPN related issues



SOLUTION
Gather the following information to resolve the VPN related issues:

  1. CPINFO from the Security Management server. Refer to sk30567.
  2. Encryption Integrity, Encryption Strengths, DH group, IPsec lifetime for Phase 1 and 2 and the networks proposed on each end.

    Fill out the following table for each end-point of the tunnel

    1. Check Point Site Info:

    Phase 1

    - Encryption Strength (3Des, Des, AES256) =
    - Encryption Integrity (MD5, SHA1) =
    - Diffie-Hellman Group for IKE (phase 1) (group 1, 2, 5) =
    - Renegotiate IKE (phase 1) (1400 minutes) =
    - Support Aggressive mode (yes, no) =

    Phase 2

    - Encryption Strength (3Des, Des, AES256) =
    - Encryption Integrity (MD5, SHA1) =
    - Use Perfect Forward Secrecy (if yes what group) =
    - Renegotiate IPsec (3600 seconds) =


    2. Are you using Pre-Shared secrets of Certificates?

    3. Are they able to establish the tunnel one-way? If so which way?

    4. What are the address that you are testing from and two in your encryption domains?

    5. What is the IP address and name of the security gateway in question?

    6. What is the IP address and name of the remote VPN site? And type of VPN appliance is it?

    1. Remote Site Info:

    Phase 1

    - Encryption Strength (3Des, Des, AES256) =
    - Encryption Integrity (MD5, SHA1) =
    - Diffie-Hellman Group for IKE (phase 1) (group 1, 2, 5) =
    - Renegotiate IKE (phase 1) (1400 minutes) =
    - Support Aggressive mode (yes, no) =

    Phase 2

    - Encryption Strength (3Des, Des, AES256) =
    - Encryption Integrity (MD5, SHA1) =
    - Use Perfect Forward Secrecy (if yes what group) =
    - Renegotiate IPsec (3600 seconds) =



    2. Are you using Pre-Shared secrets of Certificates?

    3. Are they able to establish the tunnel one-way? If so which way?

    4. What are the address that you are testing from and two in your encryption domains.
  3. The IKE.elg and vpnd.elg files which include an easily identified period when a connection is being tested.
    Follow the below procedure to create the IKE.elg and vpnd.elg debug files:

    1. Delete the $FWDIR/log/IKE.elg and the $FWDIR/log/vpnd.elg files from the security gateway.
    2. On the security gateway run "vpn tu" or "vpn tunnelutil".
      This will bring up the following options:

      (exception in NGX there is an addition option to Delete User with IPsec)


      ********** Select Option **********

      (1) List all IKE SAs

      (2) List all IPsec SAs

      (3) List all IKE SAs for a given peer

      (4) List all IPsec SAs for a given peer

      (5) Delete all IPsec SAs for a given peer

      (6) Delete all IPsec+IKE SAs for a given peer

      (7) Delete all IPsec SAs for ALL peers

      (8) Delete all IPsec+IKE SAs for ALL peers

      (A) Abort

      *******************************************


      Select either option #6 and put in the remote side IP address or select option #8 and delete all the tunnels IPsec and IKE SAs. This will delete the IPsec and IKE SAs and this will send a delete IKE SA packet to the remote side telling it to take down the exciting tunnel.
    3. Run "vpn debug ikeon" to enable the IKE debugging.
    4. From either side of the security gateway generate traffic through the tunnel.
    5. Once the tunnel fails, run "vpn debug ikeoff".
    6. The IKE.elg file will be created in the $FWDIR/log directory on the security gateway.