Firewall Troubleshooting



Similar documents
Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Cisco RV 120W Wireless-N VPN Firewall

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

ZyXEL ZyWALL P1 firmware V3.64

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Juniper NetScreen 5GT

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Watchguard Firebox X Edge e-series

Cisco SA 500 Series Security Appliance

Symantec Firewall/VPN 200

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

IPsec VPN Application Guide REV:

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Chapter 4 Virtual Private Networking

Configuring a VPN between a Sidewinder G2 and a NetScreen

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

The BANDIT Products in Virtual Private Networks

Ford ANX Troubleshooting Procedure for use by Trading Partners

Scenario: Remote-Access VPN Configuration

Lab Configure a PIX Firewall VPN

CCNA Security 1.1 Instructional Resource

Creating a VPN with overlapping subnets

LinkProof And VPN Load Balancing

VPN. VPN For BIPAC 741/743GE

Case Study for Layer 3 Authentication and Encryption

Understanding the Cisco VPN Client

Chapter 8 Virtual Private Networking

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Site to Site VPN s between two networks with the same IP Address scheme.

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Chapter 5 Virtual Private Networking Using IPsec

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

Cisco AnyConnect Secure Mobility Solution Guide

How to configure VPN function on TP-LINK Routers

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Sample Configuration Using the ip nat outside source static

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Lecture 17 - Network Security

Interconnection between the Windows Azure

21.4 Network Address Translation (NAT) NAT concept

How to configure VPN function on TP-LINK Routers

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

LAB THREE STATIC ROUTING

Configure IPSec VPN Tunnels With the Wizard

VPN SECURITY POLICIES

AlliedTelesis AT-AR700 Series

Quick Note 051. Common Passwords/ID errors in IPsec VPN negotiation for TransPort routers. DRAFT July 2015

How To Set Up Checkpoint Vpn For A Home Office Worker

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Connecting Remote Offices by Setting Up VPN Tunnels

FortiOS Handbook IPsec VPN for FortiOS 5.0

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Introduction to Security and PIX Firewall

This chapter describes how to set up and manage VPN service in Mac OS X Server.

IP Office Technical Tip

Windows XP VPN Client Example

How To Industrial Networking

Using IPsec VPN to provide communication between offices

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

HOWTO: How to configure IPSEC gateway (office) to gateway

VPN Wizard Default Settings and General Information

LAN-Cell to Cisco Tunneling

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Chapter 6 Basic Virtual Private Networking

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

GNAT Box VPN and VPN Client

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Setting up D-Link VPN Client to VPN Routers

Configure VPN between ProSafe VPN Client Software and FVG318

How To Configure An Ipsec Tunnel On A Network With A Network Gateways (Dfl-800) On A Pnet 2.5V2.5 (Dlf-600) On An Ipse Vpn

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Transcription:

Firewall Troubleshooting (Checkpoint Specific) For typical connectivity issues where a firewall is in question follow these steps to eliminate any issues relating to the firewall. Firewall 1. From the distant device run traceroute command and ping (if allowed). 2. On firewall try to ping the device and look for an arp entry a. arp a grep x.x.x.x 3. Look at SmartView Tracker, SmarLogs, or run the zdebug command to see if it is being dropped. (fw ctl zdebug drop grep x.x.x.x) 4. Do an ip route get on firewall or traceroute to see routing a. ip route get x.x.x.x b. traceroute x.x.x.x 5. Run tcpcump on the interface and look for the device a. tcpdump I eth0 host x.x.x.x 6. Fw monitor command to see what is traversing the firewall interfaces/virtual machines of the firewall a. fw monitor e accept host(x.x.x.x); ClusterXL VPN 1. Verify cluster status from SmartView Monitor or command line a. cphaprob stat to show cluster status b. cpstat ha show high availability state c. cphaprob a if to show interfaces monitored d. cphaprob -ia list to see detailed cluster info/status e. Look in smartview Tracker for details sorting on information section f. fw ctl pstat command to see sync status 1. For VPN connections look at SmarView Monitor or VPN TU command to look for VPN connection details. 2. Enable IKE debugging to look at Phase one and Phase two details 3. Run fw monitor command with vpn tagging switches for different positions in the firewall chain to see what s occurring at each VM a. fw monitor -pi +vpn -po -vpn -e "host(x.x.x.x), accept;

VPN DEBUGGING INSTRUCTIONS: From the command line ( if cluster, active member ) vpn debug on vpn debug ikeon vpn tu Select the option to delete IPSEC+IKE SAs for a given peer (gw) Try the traffic to bring up the tunnel Log Files are vpn debug ikeoff vpn debug off $FWDIR/log/ike.elg $FWDIR/log/vpnd.elg COMMON MESSAGES: According to the Policy the Packet should not have been decrypted The networks are not defined properly or have a typo Make sure VPN domains under gateway A are all local to gateway A Make sure VPN domains under gateway B are all local to gateway B Wrong Remote Address Verify remote address Failed to match proposal sk21636 cisco side not configured for compression No response from peer Check encryption domains. remote end needs a decrypt rule remote firewall not setup for encryption something is blocking communication between VPN endpoints Check UDP 500 and protocol 50

No Valid SA Both ends need the same definition for the encryption domain. sk19243 (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def Likely phase2 settings cisco might say no proxy id allowed Disable NAT inside VPN community Support Key exchange for subnets is properly configured Make sure firewall external interface is in public IP in general properties No Proposal chosen sk19243 usually caused when a peer does not agree to VPN Domain or subnet mask make sure that encryption and hash match as well in Phase 2 settings Cannot Identify Peer (to encryption connection) sk22102 rules refer to an object that is not part of the local firewalls encryption domain may have overlapping encryption domains 2 peers in the same domain sk18972 explains overlapping Invalid ID sk25893 Gateway: VPN-> VPN Advanced, Clear Support key exchange for subnets, Install policy Authentication Failure Payload Malformed check pre shared secrets RESPONDER-LIFETIME As seen in ike debugs, make sure they match on both ends Invalid Certificate sk17106 Remote side peer object is incorrectly configured sk23586 nat rules are needed sk18805 multiple issues, define a static nat, add a rule, check time sk25262 port 18264 has problems sk32648 port 18264 problems v2 sk15037 make sure gateway can communicate with management

No Valid CRL sk32721 CRL has expired, and module can t get a new valid CRL Add Negotiation FW-1 is handling more than 200 key negotiations at once Set maximum concurrent IKE connections FW MONITOR NOTES packet comes back i I o O packet will be ESP between o and O BASIC STUFF TO CHECK IN THE CONFIGURATION: VPN domains Setup in the topology of an item Using topology is recommended, but you must define Looking for overlap, or missing networks. Check remote and local objects. Encryption Domains Your firewall contains your networks Their firewall contains their networks Rule Setup You need a rule for the originator. Reply rule is only required for 2 way tunnel Preshared secret or certificate Make sure times are accurate Security rulebase make sure there are rules to allow the traffic Address Translation Be aware that this will affect the Phase 2 negotiations Most people disable NAT in the community

Community Properties Tunnel management, Phase1 Phase2 encryption settings Link selection Routing Make sure that the destination is routed across the interface that you want it to encrypt on you need IP proto 50 and 51 for IPSEC related traffic and port 500 UDP for IKE netstat -rn and look for a single valid default route Smartview Tracker Logs TRADITIONAL MODE NOTES encryption happens when you hit explicit rule rules must be created SIMPLIFIED MODE NOTES VPN Communities Encryption happens at rule 0 rules are implied CHECKLIST Define encryption domains for each site Define firewall workstation objects for each site Configure the gateway objects for the correct encryption domain Configure the extranet community with the appropriate gateways and objects Create the necessary encryption rules. Configure the encryption properties for each encryption rule. Install the security Policy

IKE PACKET MODE QUICK REFERENCE - > outgoing < incoming PHASE 1 (MAIN MODE) 1 > Pre shared Secrets, Encryption & hash Algorithms, Auth method, initiator cookie (clear text) 2 < agree on one encryption & hash, responder cookie (clear text) 3 > random numbers sent to prove identity (if it fails here, reinstall) 4 < random numbers sent to prove identity (if it fails here, reinstall) 5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets 6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets PHASE 2 (QUICK MODE) 1 > Use a subnet or a host ID, Encryption, hash, ID data 2 < agrees with it s own subnet or host ID and encryption and hash 3 > completes IKE negotiation