Check Point VPN Troubleshooting - IKEView Examples - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, February 21, 2017

Check Point VPN Troubleshooting - IKEView Examples

Recently I went through Check Point VPN troubleshooting process with IKEVIEW tool. To download ikeview tool, please click here or Support Center download link.

The IKEView utility is a Check Point tool created to assist in analysis of the ike.elg (IKEv1) and ikev2.xmll (IKEv2 - supported in R71 and above) files.ike.elg and ikev2.xmll files are useful for debugging Site-to-Site VPN and Check Point Remote Access Client encryption failures.

Enabling IKE debug mode on Security Gateway results in verbose encryption-traffic information being written to the $FWDIR/log/ike.elg or $FWDIR/log/ikev2.xmll file. The Security Gateway does not require a restart or reboot after enabling IKE debug mode. The output is written in text format, and can be read with plain-text editor, but is cumbersome to interpret. The IKEView utility's GUI clearly designates IPSec Phase 1 and Phase 2 sections on a per-packet level for both IKEv1 and IKEv2

Here are some steps:

– Clear any existing ike.elg files, this will start a new ike.elg file and rename the old one.
[Expert@FW-CP1:0]# vpn debug trunc
[Expert@FW-CP1:0]# ls -la $FWDIR/log/ike* 
– Turn on debug IKE debugging
[Expert@FW-CP1:0]#  vpn debug ikeon
– Clear existing tunnels between the gateways of interest or all tunnels if you don’t care. If there are no tunnels this will force both phase 1 & 2 to be completed. If a tunnel exists then
only Phase 2 may be needed depending on the networks being connected to.
[Expert@FW-CP1:0]# vpn tunnelutil
select option 0 (Delete all IPSec+IKE SA’s for ALL peers and users)
Hit enter
– Trigger a VPN connection
Create a connection to trigger VPN connection that uses command ping, ftp, ssh , http,
– Turn off IKE debugging

[Expert@FW-CP1:0]#  vpn debug ikeoff
– Get the ike.elg file
[Expert@FW-CP1:0]# cd $FWDIR/log/ ike.elg [check date]
either ftp this file off or SCP it out
– Analyze the ike.elg file in IKEView.

Example 1: Successful Phase 1 and Phase 2 with correct encryption domain sent out

Example 2: Phase 1

Example 3: Wrong Encryption Domains sent out from Check Point

Peer will send back  error message which says INVALID-ID-INFORMATION

Example 4: Phase 2 failed with error message INVALID-PAYLOAD-TYPE

Other Commands:

fw tab -t vpn_enc_domain_valid -f -u

"Invalid ID" is a phase II error. During Phase II networks are exchanged along with Phase II authentication parameters. To confirm run the following command when trying to establish the tunnel:
fw tab -t vpn_enc_domain_valid -f -u

That command may not be helpful if you have many VPNs because it does not seperate the encryption domains. But basically this will list the encryption domains that the Checkpoint is sending out. If will probably be a larger subnet than what you have configured. If this is the case, search for "supernetting" in these forums. There are several ways to address the issue. 


Troubleshooting Checkpoint VPNs with IKEVIEW
Enabling IKE and VPN debugging